@agent-native/core 0.14.8 → 0.15.1

package/dist/server/request-context.js.map

@@ -1 +1 @@
-{"version":3,"file":"request-context.js","sourceRoot":"","sources":["../../src/server/request-context.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AACH,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AAiErD,MAAM,UAAU,GAAG,gCAAyC,CAAC;AAC7D,MAAM,aAAa,GAAG,sCAA+C,CAAC;AAMtE,MAAM,SAAS,GAAG,UAAsC,CAAC;AACzD,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,EAAE,CAAC;IAC3B,SAAS,CAAC,UAAU,CAAC,GAAG,IAAI,iBAAiB,EAAkB,CAAC;AAClE,CAAC;AACD,IAAI,CAAC,SAAS,CAAC,aAAa,CAAC,EAAE,CAAC;IAC9B,SAAS,CAAC,aAAa,CAAC,GAAG,EAAE,CAAC;AAChC,CAAC;AACD,MAAM,GAAG,GAAG,SAAS,CAAC,UAAU,CAAE,CAAC;AACnC,MAAM,SAAS,GAAG,SAAS,CAAC,aAAa,CAAE,CAAC;AAE5C;;;;;;;;;GASG;AACH,MAAM,UAAU,yBAAyB,CACvC,QAAgC;IAEhC,SAAS,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACzB,OAAO,GAAG,EAAE;QACV,MAAM,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;QACtC,IAAI,CAAC,KAAK,CAAC,CAAC;YAAE,SAAS,CAAC,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IACvC,CAAC,CAAC;AACJ,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,qBAAqB,CACnC,GAAmB,EACnB,EAAwB;IAExB,OAAO,GAAG,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE;QACvB,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACzB,KAAK,MAAM,GAAG,IAAI,SAAS,EAAE,CAAC;gBAC5B,IAAI,CAAC;oBACH,GAAG,CAAC,GAAG,CAAC,CAAC;gBACX,CAAC;gBAAC,MAAM,CAAC;oBACP,+CAA+C;gBACjD,CAAC;YACH,CAAC;QACH,CAAC;QACD,OAAO,EAAE,EAAE,CAAC;IACd,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,iBAAiB;IAC/B,OAAO,GAAG,CAAC,QAAQ,EAAE,CAAC;AACxB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,iBAAiB;IAC/B,OAAO,GAAG,CAAC,QAAQ,EAAE,KAAK,SAAS,CAAC;AACtC,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,mBAAmB;IACjC,MAAM,KAAK,GAAG,GAAG,CAAC,QAAQ,EAAE,CAAC;IAC7B,IAAI,KAAK,KAAK,SAAS;QAAE,OAAO,KAAK,CAAC,SAAS,CAAC;IAChD,OAAO,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC;AACtC,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,kBAAkB;IAChC,MAAM,KAAK,GAAG,GAAG,CAAC,QAAQ,EAAE,CAAC;IAC7B,IAAI,KAAK,KAAK,SAAS;QAAE,OAAO,KAAK,CAAC,QAAQ,CAAC;IAC/C,OAAO,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC;AACrC,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,eAAe;IAC7B,MAAM,KAAK,GAAG,GAAG,CAAC,QAAQ,EAAE,CAAC;IAC7B,IAAI,KAAK,KAAK,SAAS;QAAE,OAAO,KAAK,CAAC,KAAK,CAAC;IAC5C,OAAO,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC;AAClC,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,kBAAkB;IAChC,MAAM,KAAK,GAAG,GAAG,CAAC,QAAQ,EAAE,CAAC;IAC7B,IAAI,KAAK,KAAK,SAAS;QAAE,OAAO,KAAK,CAAC,QAAQ,CAAC;IAC/C,OAAO,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC;AACzC,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,0BAA0B;IACxC,OAAO,GAAG,CAAC,QAAQ,EAAE,EAAE,mBAAmB,KAAK,IAAI,CAAC;AACtD,CAAC;AAED,MAAM,UAAU,4BAA4B;IAG1C,OAAO,GAAG,CAAC,QAAQ,EAAE,EAAE,WAAW,CAAC;AACrC,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,oBAAoB;IAIlC,MAAM,SAAS,GAAG,mBAAmB,EAAE,CAAC;IACxC,IAAI,CAAC,SAAS;QAAE,OAAO,IAAI,CAAC;IAC5B,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,eAAe,EAAE,IAAI,IAAI,EAAE,CAAC;AACzD,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,oBAAoB;IAClC,MAAM,KAAK,GAAG,GAAG,CAAC,QAAQ,EAAE,CAAC;IAC7B,IAAI,CAAC,KAAK;QAAE,OAAO,SAAS,CAAC;IAC7B,OAAO,KAAK,CAAC,GAAG,CAAC;AACnB,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,uBAAuB;IACrC,MAAM,KAAK,GAAG,GAAG,CAAC,QAAQ,EAAE,CAAC;IAC7B,IAAI,CAAC,KAAK;QAAE,OAAO,SAAS,CAAC;IAC7B,IAAI,CAAC,KAAK,CAAC,GAAG;QAAE,KAAK,CAAC,GAAG,GAAG,EAAE,CAAC;IAC/B,OAAO,KAAK,CAAC,GAAG,CAAC;AACnB,CAAC","sourcesContent":["/**\n * Per-request context using AsyncLocalStorage.\n *\n * Replaces the unsafe pattern of mutating `process.env.AGENT_USER_EMAIL` /\n * `process.env.AGENT_ORG_ID` on every request. On Node.js (Netlify, self-hosted)\n * concurrent requests would overwrite each other's env vars. AsyncLocalStorage\n * gives each async call-chain its own isolated context.\n *\n * Supported on all deployment targets:\n * - Node.js (native)\n * - Cloudflare Workers (via nodejs_compat flag)\n * - Deno Deploy (via node:async_hooks compat)\n *\n * For CLI scripts that run outside a request context, the getters fall back to\n * process.env so existing `AGENT_USER_EMAIL=x pnpm action foo` invocations\n * continue to work.\n */\nimport { AsyncLocalStorage } from \"node:async_hooks\";\n\n/**\n * Per-request agent-run state. Lives on `RequestContext.run` so the\n * agent-chat plugin can populate fields as the run progresses (owner,\n * resolved API key, system prompt, engine, model, threadId) without\n * mutating module-scope `let` bindings — those leak across concurrent\n * requests on a single Node.js process.\n *\n * Mutated in-place by `prepareRun`, `onEngineResolved`, `onRunStart` so\n * tool factory closures (automation, fetch, team, builder-browser) read\n * the live per-request value via `getRequestRunContext()`.\n */\nexport interface RequestRunContext {\n  /** Origin of the current request (used by the builder-browser tool). */\n  requestOrigin?: string;\n  /** Resolved owner email (set by prepareRun). */\n  owner?: string;\n  /** Owner's active Anthropic API key (set by prepareRun). */\n  userApiKey?: string;\n  /** Thread ID for the current run (set by onRunStart). */\n  threadId?: string;\n  /** System prompt actually sent to the model for this run. */\n  systemPrompt?: string;\n  /** Engine instance for this run (set by onEngineResolved). */\n  engine?: import(\"../agent/engine/types.js\").AgentEngine;\n  /** Model name for this run (set by onEngineResolved). */\n  model?: string;\n  /** Tool calls made so far in the current agent loop. */\n  toolCalls?: Array<{ name: string; input: unknown }>;\n  /** Tool results returned so far in the current agent loop. */\n  toolResults?: Array<{ name: string; content: string; isError: boolean }>;\n}\n\nexport interface RequestContext {\n  userEmail?: string;\n  userName?: string;\n  orgId?: string;\n  timezone?: string;\n  /**\n   * True when this request is being processed by an integration-platform\n   * webhook (Slack, Telegram, etc.) where the function timeout is the\n   * binding constraint. Code that calls slow remote APIs can use this to apply\n   * tighter budgets on this path while leaving normal agent-chat callers\n   * (5+ min budget) unaffected.\n   */\n  isIntegrationCaller?: boolean;\n  /**\n   * Metadata for the currently-processing integration task. This lets tools\n   * that start long-running remote work persist a continuation that can update\n   * the originating platform thread after the current function budget ends.\n   */\n  integration?: {\n    taskId: string;\n    attempts?: number;\n    incoming: import(\"../integrations/types.js\").IncomingMessage;\n    placeholderRef?: string;\n  };\n  /**\n   * Mutable per-request agent-run state. Populated by the agent-chat plugin\n   * during a run; tool closures dereference it on each invocation.\n   */\n  run?: RequestRunContext;\n}\n\nconst GLOBAL_KEY = \"__agentNativeRequestContextAls\" as const;\nconst OBSERVERS_KEY = \"__agentNativeRequestContextObservers\" as const;\ntype RequestContextObserver = (ctx: RequestContext) => void;\ntype GlobalWithRequestContext = typeof globalThis & {\n  [GLOBAL_KEY]?: AsyncLocalStorage<RequestContext>;\n  [OBSERVERS_KEY]?: RequestContextObserver[];\n};\nconst globalRef = globalThis as GlobalWithRequestContext;\nif (!globalRef[GLOBAL_KEY]) {\n  globalRef[GLOBAL_KEY] = new AsyncLocalStorage<RequestContext>();\n}\nif (!globalRef[OBSERVERS_KEY]) {\n  globalRef[OBSERVERS_KEY] = [];\n}\nconst als = globalRef[GLOBAL_KEY]!;\nconst observers = globalRef[OBSERVERS_KEY]!;\n\n/**\n * Register a callback fired every time `runWithRequestContext` enters a new\n * scope. The hook runs INSIDE the AsyncLocalStorage scope, so observability\n * helpers that read the current isolation scope (e.g. Sentry) attach to the\n * right per-request context.\n *\n * Returned function unregisters the observer. Observers must never throw —\n * any error is swallowed so a misbehaving observer can't break the request\n * path.\n */\nexport function addRequestContextObserver(\n  observer: RequestContextObserver,\n): () => void {\n  observers.push(observer);\n  return () => {\n    const i = observers.indexOf(observer);\n    if (i !== -1) observers.splice(i, 1);\n  };\n}\n\n/**\n * Run a callback within a per-request context. The context is available to all\n * async operations spawned from `fn` via `getRequestUserEmail()` / `getRequestOrgId()`.\n *\n * Any registered `addRequestContextObserver` callbacks fire inside the new\n * scope before `fn` runs, so observability code can pin user/org info onto\n * isolation-scoped backends (Sentry, OpenTelemetry, etc.).\n */\nexport function runWithRequestContext<T>(\n  ctx: RequestContext,\n  fn: () => T | Promise<T>,\n): T | Promise<T> {\n  return als.run(ctx, () => {\n    if (observers.length > 0) {\n      for (const obs of observers) {\n        try {\n          obs(ctx);\n        } catch {\n          // Observers must never break the request path.\n        }\n      }\n    }\n    return fn();\n  });\n}\n\n/**\n * Return the active request context, if this call chain is running under one.\n *\n * This is intentionally distinct from `getRequestUserEmail()`: callers that\n * have an active context with no authenticated user must not fall through to\n * process-wide CLI fallbacks such as `AGENT_USER_EMAIL` or \"latest session\".\n */\nexport function getRequestContext(): RequestContext | undefined {\n  return als.getStore();\n}\n\n/**\n * True when AsyncLocalStorage has an active context for this call chain.\n * Useful for helpers that support both HTTP requests and standalone CLI runs.\n */\nexport function hasRequestContext(): boolean {\n  return als.getStore() !== undefined;\n}\n\n/**\n * Get the current request's user email.\n *\n * - If a request context exists (HTTP/A2A path), returns its `userEmail` —\n *   even when that value is `undefined`. The env fallback MUST NOT fire here:\n *   a stale process-wide `AGENT_USER_EMAIL` from a CLI run or previous bug\n *   would leak into an unauthenticated A2A/API call (e.g. unsigned or API-key\n *   modes where `runWithRequestContext({ userEmail: undefined })` is used).\n * - Only when there is NO request context (CLI scripts) do we fall back to\n *   `process.env.AGENT_USER_EMAIL`.\n */\nexport function getRequestUserEmail(): string | undefined {\n  const store = als.getStore();\n  if (store !== undefined) return store.userEmail;\n  return process.env.AGENT_USER_EMAIL;\n}\n\n/**\n * Get the current request's display name, when the auth provider supplied one.\n *\n * The same request-context fallback rules as `getRequestUserEmail()` apply:\n * HTTP/A2A calls only read AsyncLocalStorage, while CLI scripts may opt in via\n * `AGENT_USER_NAME`.\n */\nexport function getRequestUserName(): string | undefined {\n  const store = als.getStore();\n  if (store !== undefined) return store.userName;\n  return process.env.AGENT_USER_NAME;\n}\n\n/**\n * Get the current request's org ID.\n *\n * Same store-aware semantics as `getRequestUserEmail()` — env fallback is\n * CLI-only, so a request that explicitly has no org doesn't inherit a stale\n * `process.env.AGENT_ORG_ID` from a prior request on the same Lambda instance.\n */\nexport function getRequestOrgId(): string | undefined {\n  const store = als.getStore();\n  if (store !== undefined) return store.orgId;\n  return process.env.AGENT_ORG_ID;\n}\n\n/**\n * Get the current request's IANA timezone (e.g. \"America/Los_Angeles\").\n * The UI sends this via the `x-user-timezone` header on every action call, and\n * the agent chat plugin propagates it into the request context so that\n * agent-initiated tool calls also see the user's timezone. Falls back to\n * `process.env.AGENT_USER_TIMEZONE` only for CLI scripts (no request context).\n */\nexport function getRequestTimezone(): string | undefined {\n  const store = als.getStore();\n  if (store !== undefined) return store.timezone;\n  return process.env.AGENT_USER_TIMEZONE;\n}\n\n/**\n * Returns true when this request is on an integration-platform path (Slack,\n * Telegram, etc.) — i.e. we're inside the integration plugin's processor\n * function and the platform's deliver-by deadline plus the host's function\n * timeout are the binding budget. Non-integration callers (CLI, normal\n * agent chat) should treat this as `false`.\n */\nexport function isIntegrationCallerRequest(): boolean {\n  return als.getStore()?.isIntegrationCaller === true;\n}\n\nexport function getIntegrationRequestContext():\n  | NonNullable<RequestContext[\"integration\"]>\n  | undefined {\n  return als.getStore()?.integration;\n}\n\n/**\n * Convenience: returns `{ userEmail, orgId }` from the active request context,\n * suitable for passing to `resolveCredential(key, ctx)`. Returns `null` when\n * no user is associated with the call (e.g. an unauthenticated public route).\n *\n * For framework actions auto-mounted at `/_agent-native/actions/...` this is\n * always populated because action-routes wraps every invocation in\n * `runWithRequestContext`. For hand-written `/api/*` routes the calling code\n * is responsible for setting up the context (see `runWithRequestContext`).\n */\nexport function getCredentialContext(): {\n  userEmail: string;\n  orgId: string | null;\n} | null {\n  const userEmail = getRequestUserEmail();\n  if (!userEmail) return null;\n  return { userEmail, orgId: getRequestOrgId() ?? null };\n}\n\n/**\n * Get the active request's mutable agent-run state. Returns `undefined` when\n * called outside an agent run (e.g. before `prepareRun` or in a non-agent\n * code path). Callers must tolerate the field absence; use the helper\n * `requireRequestRunContext()` if missing context is a programming error.\n */\nexport function getRequestRunContext(): RequestRunContext | undefined {\n  const store = als.getStore();\n  if (!store) return undefined;\n  return store.run;\n}\n\n/**\n * Ensure a `RequestRunContext` exists on the active request store and\n * return it. Used by the agent-chat handler to attach run state once it\n * starts processing a chat request. Returns `undefined` if there is no\n * active request store (caller should not be invoking this outside ALS).\n */\nexport function ensureRequestRunContext(): RequestRunContext | undefined {\n  const store = als.getStore();\n  if (!store) return undefined;\n  if (!store.run) store.run = {};\n  return store.run;\n}\n"]}
+{"version":3,"file":"request-context.js","sourceRoot":"","sources":["../../src/server/request-context.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;;;;GAgBG;AACH,OAAO,EAAE,iBAAiB,EAAE,MAAM,kBAAkB,CAAC;AAyErD,MAAM,UAAU,GAAG,gCAAyC,CAAC;AAC7D,MAAM,aAAa,GAAG,sCAA+C,CAAC;AAMtE,MAAM,SAAS,GAAG,UAAsC,CAAC;AACzD,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,EAAE,CAAC;IAC3B,SAAS,CAAC,UAAU,CAAC,GAAG,IAAI,iBAAiB,EAAkB,CAAC;AAClE,CAAC;AACD,IAAI,CAAC,SAAS,CAAC,aAAa,CAAC,EAAE,CAAC;IAC9B,SAAS,CAAC,aAAa,CAAC,GAAG,EAAE,CAAC;AAChC,CAAC;AACD,MAAM,GAAG,GAAG,SAAS,CAAC,UAAU,CAAE,CAAC;AACnC,MAAM,SAAS,GAAG,SAAS,CAAC,aAAa,CAAE,CAAC;AAE5C;;;;;;;;;GASG;AACH,MAAM,UAAU,yBAAyB,CACvC,QAAgC;IAEhC,SAAS,CAAC,IAAI,CAAC,QAAQ,CAAC,CAAC;IACzB,OAAO,GAAG,EAAE;QACV,MAAM,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC,QAAQ,CAAC,CAAC;QACtC,IAAI,CAAC,KAAK,CAAC,CAAC;YAAE,SAAS,CAAC,MAAM,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC;IACvC,CAAC,CAAC;AACJ,CAAC;AAED;;;;;;;GAOG;AACH,MAAM,UAAU,qBAAqB,CACnC,GAAmB,EACnB,EAAwB;IAExB,OAAO,GAAG,CAAC,GAAG,CAAC,GAAG,EAAE,GAAG,EAAE;QACvB,IAAI,SAAS,CAAC,MAAM,GAAG,CAAC,EAAE,CAAC;YACzB,KAAK,MAAM,GAAG,IAAI,SAAS,EAAE,CAAC;gBAC5B,IAAI,CAAC;oBACH,GAAG,CAAC,GAAG,CAAC,CAAC;gBACX,CAAC;gBAAC,MAAM,CAAC;oBACP,+CAA+C;gBACjD,CAAC;YACH,CAAC;QACH,CAAC;QACD,OAAO,EAAE,EAAE,CAAC;IACd,CAAC,CAAC,CAAC;AACL,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,iBAAiB;IAC/B,OAAO,GAAG,CAAC,QAAQ,EAAE,CAAC;AACxB,CAAC;AAED;;;GAGG;AACH,MAAM,UAAU,iBAAiB;IAC/B,OAAO,GAAG,CAAC,QAAQ,EAAE,KAAK,SAAS,CAAC;AACtC,CAAC;AAED;;;;;;;;;;GAUG;AACH,MAAM,UAAU,mBAAmB;IACjC,MAAM,KAAK,GAAG,GAAG,CAAC,QAAQ,EAAE,CAAC;IAC7B,IAAI,KAAK,KAAK,SAAS;QAAE,OAAO,KAAK,CAAC,SAAS,CAAC;IAChD,OAAO,OAAO,CAAC,GAAG,CAAC,gBAAgB,CAAC;AACtC,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,kBAAkB;IAChC,MAAM,KAAK,GAAG,GAAG,CAAC,QAAQ,EAAE,CAAC;IAC7B,IAAI,KAAK,KAAK,SAAS;QAAE,OAAO,KAAK,CAAC,QAAQ,CAAC;IAC/C,OAAO,OAAO,CAAC,GAAG,CAAC,eAAe,CAAC;AACrC,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,eAAe;IAC7B,MAAM,KAAK,GAAG,GAAG,CAAC,QAAQ,EAAE,CAAC;IAC7B,IAAI,KAAK,KAAK,SAAS;QAAE,OAAO,KAAK,CAAC,KAAK,CAAC;IAC5C,OAAO,OAAO,CAAC,GAAG,CAAC,YAAY,CAAC;AAClC,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,kBAAkB;IAChC,MAAM,KAAK,GAAG,GAAG,CAAC,QAAQ,EAAE,CAAC;IAC7B,IAAI,KAAK,KAAK,SAAS;QAAE,OAAO,KAAK,CAAC,QAAQ,CAAC;IAC/C,OAAO,OAAO,CAAC,GAAG,CAAC,mBAAmB,CAAC;AACzC,CAAC;AAED;;;;;;GAMG;AACH,MAAM,UAAU,0BAA0B;IACxC,OAAO,GAAG,CAAC,QAAQ,EAAE,EAAE,mBAAmB,KAAK,IAAI,CAAC;AACtD,CAAC;AAED,MAAM,UAAU,4BAA4B;IAG1C,OAAO,GAAG,CAAC,QAAQ,EAAE,EAAE,WAAW,CAAC;AACrC,CAAC;AAED;;;;;;;;;GASG;AACH,MAAM,UAAU,oBAAoB;IAIlC,MAAM,SAAS,GAAG,mBAAmB,EAAE,CAAC;IACxC,IAAI,CAAC,SAAS;QAAE,OAAO,IAAI,CAAC;IAC5B,OAAO,EAAE,SAAS,EAAE,KAAK,EAAE,eAAe,EAAE,IAAI,IAAI,EAAE,CAAC;AACzD,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,oBAAoB;IAClC,MAAM,KAAK,GAAG,GAAG,CAAC,QAAQ,EAAE,CAAC;IAC7B,IAAI,CAAC,KAAK;QAAE,OAAO,SAAS,CAAC;IAC7B,OAAO,KAAK,CAAC,GAAG,CAAC;AACnB,CAAC;AAED;;;;;GAKG;AACH,MAAM,UAAU,uBAAuB;IACrC,MAAM,KAAK,GAAG,GAAG,CAAC,QAAQ,EAAE,CAAC;IAC7B,IAAI,CAAC,KAAK;QAAE,OAAO,SAAS,CAAC;IAC7B,IAAI,CAAC,KAAK,CAAC,GAAG;QAAE,KAAK,CAAC,GAAG,GAAG,EAAE,CAAC;IAC/B,OAAO,KAAK,CAAC,GAAG,CAAC;AACnB,CAAC","sourcesContent":["/**\n * Per-request context using AsyncLocalStorage.\n *\n * Replaces the unsafe pattern of mutating `process.env.AGENT_USER_EMAIL` /\n * `process.env.AGENT_ORG_ID` on every request. On Node.js (Netlify, self-hosted)\n * concurrent requests would overwrite each other's env vars. AsyncLocalStorage\n * gives each async call-chain its own isolated context.\n *\n * Supported on all deployment targets:\n * - Node.js (native)\n * - Cloudflare Workers (via nodejs_compat flag)\n * - Deno Deploy (via node:async_hooks compat)\n *\n * For CLI scripts that run outside a request context, the getters fall back to\n * process.env so existing `AGENT_USER_EMAIL=x pnpm action foo` invocations\n * continue to work.\n */\nimport { AsyncLocalStorage } from \"node:async_hooks\";\n\n/**\n * Per-request agent-run state. Lives on `RequestContext.run` so the\n * agent-chat plugin can populate fields as the run progresses (owner,\n * resolved API key, system prompt, engine, model, threadId) without\n * mutating module-scope `let` bindings — those leak across concurrent\n * requests on a single Node.js process.\n *\n * Mutated in-place by `prepareRun`, `onEngineResolved`, `onRunStart` so\n * tool factory closures (automation, fetch, team, builder-browser) read\n * the live per-request value via `getRequestRunContext()`.\n */\nexport interface RequestRunContext {\n  /** Origin of the current request (used by the builder-browser tool). */\n  requestOrigin?: string;\n  /** Stable browser tab id for tab-scoped app-state reads/writes. */\n  browserTabId?: string;\n  /** Resource scope for the current chat thread, e.g. the active deck. */\n  chatScope?: {\n    type: string;\n    id: string;\n    label?: string;\n  } | null;\n  /** Resolved owner email (set by prepareRun). */\n  owner?: string;\n  /** Owner's active Anthropic API key (set by prepareRun). */\n  userApiKey?: string;\n  /** Thread ID for the current run (set by onRunStart). */\n  threadId?: string;\n  /** System prompt actually sent to the model for this run. */\n  systemPrompt?: string;\n  /** Engine instance for this run (set by onEngineResolved). */\n  engine?: import(\"../agent/engine/types.js\").AgentEngine;\n  /** Model name for this run (set by onEngineResolved). */\n  model?: string;\n  /** Tool calls made so far in the current agent loop. */\n  toolCalls?: Array<{ name: string; input: unknown }>;\n  /** Tool results returned so far in the current agent loop. */\n  toolResults?: Array<{ name: string; content: string; isError: boolean }>;\n}\n\nexport interface RequestContext {\n  userEmail?: string;\n  userName?: string;\n  orgId?: string;\n  timezone?: string;\n  /**\n   * True when this request is being processed by an integration-platform\n   * webhook (Slack, Telegram, etc.) where the function timeout is the\n   * binding constraint. Code that calls slow remote APIs can use this to apply\n   * tighter budgets on this path while leaving normal agent-chat callers\n   * (5+ min budget) unaffected.\n   */\n  isIntegrationCaller?: boolean;\n  /**\n   * Metadata for the currently-processing integration task. This lets tools\n   * that start long-running remote work persist a continuation that can update\n   * the originating platform thread after the current function budget ends.\n   */\n  integration?: {\n    taskId: string;\n    attempts?: number;\n    incoming: import(\"../integrations/types.js\").IncomingMessage;\n    placeholderRef?: string;\n  };\n  /**\n   * Mutable per-request agent-run state. Populated by the agent-chat plugin\n   * during a run; tool closures dereference it on each invocation.\n   */\n  run?: RequestRunContext;\n}\n\nconst GLOBAL_KEY = \"__agentNativeRequestContextAls\" as const;\nconst OBSERVERS_KEY = \"__agentNativeRequestContextObservers\" as const;\ntype RequestContextObserver = (ctx: RequestContext) => void;\ntype GlobalWithRequestContext = typeof globalThis & {\n  [GLOBAL_KEY]?: AsyncLocalStorage<RequestContext>;\n  [OBSERVERS_KEY]?: RequestContextObserver[];\n};\nconst globalRef = globalThis as GlobalWithRequestContext;\nif (!globalRef[GLOBAL_KEY]) {\n  globalRef[GLOBAL_KEY] = new AsyncLocalStorage<RequestContext>();\n}\nif (!globalRef[OBSERVERS_KEY]) {\n  globalRef[OBSERVERS_KEY] = [];\n}\nconst als = globalRef[GLOBAL_KEY]!;\nconst observers = globalRef[OBSERVERS_KEY]!;\n\n/**\n * Register a callback fired every time `runWithRequestContext` enters a new\n * scope. The hook runs INSIDE the AsyncLocalStorage scope, so observability\n * helpers that read the current isolation scope (e.g. Sentry) attach to the\n * right per-request context.\n *\n * Returned function unregisters the observer. Observers must never throw —\n * any error is swallowed so a misbehaving observer can't break the request\n * path.\n */\nexport function addRequestContextObserver(\n  observer: RequestContextObserver,\n): () => void {\n  observers.push(observer);\n  return () => {\n    const i = observers.indexOf(observer);\n    if (i !== -1) observers.splice(i, 1);\n  };\n}\n\n/**\n * Run a callback within a per-request context. The context is available to all\n * async operations spawned from `fn` via `getRequestUserEmail()` / `getRequestOrgId()`.\n *\n * Any registered `addRequestContextObserver` callbacks fire inside the new\n * scope before `fn` runs, so observability code can pin user/org info onto\n * isolation-scoped backends (Sentry, OpenTelemetry, etc.).\n */\nexport function runWithRequestContext<T>(\n  ctx: RequestContext,\n  fn: () => T | Promise<T>,\n): T | Promise<T> {\n  return als.run(ctx, () => {\n    if (observers.length > 0) {\n      for (const obs of observers) {\n        try {\n          obs(ctx);\n        } catch {\n          // Observers must never break the request path.\n        }\n      }\n    }\n    return fn();\n  });\n}\n\n/**\n * Return the active request context, if this call chain is running under one.\n *\n * This is intentionally distinct from `getRequestUserEmail()`: callers that\n * have an active context with no authenticated user must not fall through to\n * process-wide CLI fallbacks such as `AGENT_USER_EMAIL` or \"latest session\".\n */\nexport function getRequestContext(): RequestContext | undefined {\n  return als.getStore();\n}\n\n/**\n * True when AsyncLocalStorage has an active context for this call chain.\n * Useful for helpers that support both HTTP requests and standalone CLI runs.\n */\nexport function hasRequestContext(): boolean {\n  return als.getStore() !== undefined;\n}\n\n/**\n * Get the current request's user email.\n *\n * - If a request context exists (HTTP/A2A path), returns its `userEmail` —\n *   even when that value is `undefined`. The env fallback MUST NOT fire here:\n *   a stale process-wide `AGENT_USER_EMAIL` from a CLI run or previous bug\n *   would leak into an unauthenticated A2A/API call (e.g. unsigned or API-key\n *   modes where `runWithRequestContext({ userEmail: undefined })` is used).\n * - Only when there is NO request context (CLI scripts) do we fall back to\n *   `process.env.AGENT_USER_EMAIL`.\n */\nexport function getRequestUserEmail(): string | undefined {\n  const store = als.getStore();\n  if (store !== undefined) return store.userEmail;\n  return process.env.AGENT_USER_EMAIL;\n}\n\n/**\n * Get the current request's display name, when the auth provider supplied one.\n *\n * The same request-context fallback rules as `getRequestUserEmail()` apply:\n * HTTP/A2A calls only read AsyncLocalStorage, while CLI scripts may opt in via\n * `AGENT_USER_NAME`.\n */\nexport function getRequestUserName(): string | undefined {\n  const store = als.getStore();\n  if (store !== undefined) return store.userName;\n  return process.env.AGENT_USER_NAME;\n}\n\n/**\n * Get the current request's org ID.\n *\n * Same store-aware semantics as `getRequestUserEmail()` — env fallback is\n * CLI-only, so a request that explicitly has no org doesn't inherit a stale\n * `process.env.AGENT_ORG_ID` from a prior request on the same Lambda instance.\n */\nexport function getRequestOrgId(): string | undefined {\n  const store = als.getStore();\n  if (store !== undefined) return store.orgId;\n  return process.env.AGENT_ORG_ID;\n}\n\n/**\n * Get the current request's IANA timezone (e.g. \"America/Los_Angeles\").\n * The UI sends this via the `x-user-timezone` header on every action call, and\n * the agent chat plugin propagates it into the request context so that\n * agent-initiated tool calls also see the user's timezone. Falls back to\n * `process.env.AGENT_USER_TIMEZONE` only for CLI scripts (no request context).\n */\nexport function getRequestTimezone(): string | undefined {\n  const store = als.getStore();\n  if (store !== undefined) return store.timezone;\n  return process.env.AGENT_USER_TIMEZONE;\n}\n\n/**\n * Returns true when this request is on an integration-platform path (Slack,\n * Telegram, etc.) — i.e. we're inside the integration plugin's processor\n * function and the platform's deliver-by deadline plus the host's function\n * timeout are the binding budget. Non-integration callers (CLI, normal\n * agent chat) should treat this as `false`.\n */\nexport function isIntegrationCallerRequest(): boolean {\n  return als.getStore()?.isIntegrationCaller === true;\n}\n\nexport function getIntegrationRequestContext():\n  | NonNullable<RequestContext[\"integration\"]>\n  | undefined {\n  return als.getStore()?.integration;\n}\n\n/**\n * Convenience: returns `{ userEmail, orgId }` from the active request context,\n * suitable for passing to `resolveCredential(key, ctx)`. Returns `null` when\n * no user is associated with the call (e.g. an unauthenticated public route).\n *\n * For framework actions auto-mounted at `/_agent-native/actions/...` this is\n * always populated because action-routes wraps every invocation in\n * `runWithRequestContext`. For hand-written `/api/*` routes the calling code\n * is responsible for setting up the context (see `runWithRequestContext`).\n */\nexport function getCredentialContext(): {\n  userEmail: string;\n  orgId: string | null;\n} | null {\n  const userEmail = getRequestUserEmail();\n  if (!userEmail) return null;\n  return { userEmail, orgId: getRequestOrgId() ?? null };\n}\n\n/**\n * Get the active request's mutable agent-run state. Returns `undefined` when\n * called outside an agent run (e.g. before `prepareRun` or in a non-agent\n * code path). Callers must tolerate the field absence; use the helper\n * `requireRequestRunContext()` if missing context is a programming error.\n */\nexport function getRequestRunContext(): RequestRunContext | undefined {\n  const store = als.getStore();\n  if (!store) return undefined;\n  return store.run;\n}\n\n/**\n * Ensure a `RequestRunContext` exists on the active request store and\n * return it. Used by the agent-chat handler to attach run state once it\n * starts processing a chat request. Returns `undefined` if there is no\n * active request store (caller should not be invoking this outside ALS).\n */\nexport function ensureRequestRunContext(): RequestRunContext | undefined {\n  const store = als.getStore();\n  if (!store) return undefined;\n  if (!store.run) store.run = {};\n  return store.run;\n}\n"]}

package/dist/shared/index.d.ts

@@ -2,5 +2,7 @@ export { agentChat, type AgentChatMessage, type AgentChatCallOptions, type Agent
 export { agentEnv, type EnvVar } from "./agent-env.js";
 export { extractOAuthStateAppId } from "./oauth-state.js";
 export { truncate } from "./truncate.js";
+export { llmConnectionTrackingProperties, normalizeLlmConnection, type LlmConnectionStatus, } from "./llm-connection.js";
 export { DISPATCH_WORKSPACE_ROOT_REDIRECTS, RESERVED_WORKSPACE_APP_IDS, assertValidWorkspaceAppId, getWorkspaceAppIdValidationError, isValidWorkspaceAppIdFormat, } from "./workspace-app-id.js";
+export { DEFAULT_WORKSPACE_APP_AUDIENCE, WORKSPACE_APP_AUDIENCES, normalizeWorkspaceAppAudience, normalizeWorkspaceAppPathList, workspaceAppAudienceFromEnv, workspaceAppAudienceFromPackageJson, workspaceAppRouteAccessFromEnv, workspaceAppRouteAccessFromPackageJson, type WorkspaceAppRouteAccess, type WorkspaceAppRouteAccessFromConfig, type WorkspaceAppAudience, } from "./workspace-app-audience.js";
 //# sourceMappingURL=index.d.ts.map

package/dist/shared/index.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/shared/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,SAAS,EACT,KAAK,gBAAgB,EACrB,KAAK,oBAAoB,EACzB,KAAK,iBAAiB,GACvB,MAAM,iBAAiB,CAAC;AACzB,OAAO,EAAE,QAAQ,EAAE,KAAK,MAAM,EAAE,MAAM,gBAAgB,CAAC;AACvD,OAAO,EAAE,sBAAsB,EAAE,MAAM,kBAAkB,CAAC;AAC1D,OAAO,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AACzC,OAAO,EACL,iCAAiC,EACjC,0BAA0B,EAC1B,yBAAyB,EACzB,gCAAgC,EAChC,2BAA2B,GAC5B,MAAM,uBAAuB,CAAC"}
+{"version":3,"file":"index.d.ts","sourceRoot":"","sources":["../../src/shared/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,SAAS,EACT,KAAK,gBAAgB,EACrB,KAAK,oBAAoB,EACzB,KAAK,iBAAiB,GACvB,MAAM,iBAAiB,CAAC;AACzB,OAAO,EAAE,QAAQ,EAAE,KAAK,MAAM,EAAE,MAAM,gBAAgB,CAAC;AACvD,OAAO,EAAE,sBAAsB,EAAE,MAAM,kBAAkB,CAAC;AAC1D,OAAO,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AACzC,OAAO,EACL,+BAA+B,EAC/B,sBAAsB,EACtB,KAAK,mBAAmB,GACzB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EACL,iCAAiC,EACjC,0BAA0B,EAC1B,yBAAyB,EACzB,gCAAgC,EAChC,2BAA2B,GAC5B,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EACL,8BAA8B,EAC9B,uBAAuB,EACvB,6BAA6B,EAC7B,6BAA6B,EAC7B,2BAA2B,EAC3B,mCAAmC,EACnC,8BAA8B,EAC9B,sCAAsC,EACtC,KAAK,uBAAuB,EAC5B,KAAK,iCAAiC,EACtC,KAAK,oBAAoB,GAC1B,MAAM,6BAA6B,CAAC"}

package/dist/shared/index.js

@@ -2,5 +2,7 @@ export { agentChat, } from "./agent-chat.js";
 export { agentEnv } from "./agent-env.js";
 export { extractOAuthStateAppId } from "./oauth-state.js";
 export { truncate } from "./truncate.js";
+export { llmConnectionTrackingProperties, normalizeLlmConnection, } from "./llm-connection.js";
 export { DISPATCH_WORKSPACE_ROOT_REDIRECTS, RESERVED_WORKSPACE_APP_IDS, assertValidWorkspaceAppId, getWorkspaceAppIdValidationError, isValidWorkspaceAppIdFormat, } from "./workspace-app-id.js";
+export { DEFAULT_WORKSPACE_APP_AUDIENCE, WORKSPACE_APP_AUDIENCES, normalizeWorkspaceAppAudience, normalizeWorkspaceAppPathList, workspaceAppAudienceFromEnv, workspaceAppAudienceFromPackageJson, workspaceAppRouteAccessFromEnv, workspaceAppRouteAccessFromPackageJson, } from "./workspace-app-audience.js";
 //# sourceMappingURL=index.js.map

package/dist/shared/index.js.map

@@ -1 +1 @@
-{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/shared/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,SAAS,GAIV,MAAM,iBAAiB,CAAC;AACzB,OAAO,EAAE,QAAQ,EAAe,MAAM,gBAAgB,CAAC;AACvD,OAAO,EAAE,sBAAsB,EAAE,MAAM,kBAAkB,CAAC;AAC1D,OAAO,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AACzC,OAAO,EACL,iCAAiC,EACjC,0BAA0B,EAC1B,yBAAyB,EACzB,gCAAgC,EAChC,2BAA2B,GAC5B,MAAM,uBAAuB,CAAC","sourcesContent":["export {\n  agentChat,\n  type AgentChatMessage,\n  type AgentChatCallOptions,\n  type AgentChatResponse,\n} from \"./agent-chat.js\";\nexport { agentEnv, type EnvVar } from \"./agent-env.js\";\nexport { extractOAuthStateAppId } from \"./oauth-state.js\";\nexport { truncate } from \"./truncate.js\";\nexport {\n  DISPATCH_WORKSPACE_ROOT_REDIRECTS,\n  RESERVED_WORKSPACE_APP_IDS,\n  assertValidWorkspaceAppId,\n  getWorkspaceAppIdValidationError,\n  isValidWorkspaceAppIdFormat,\n} from \"./workspace-app-id.js\";\n"]}
+{"version":3,"file":"index.js","sourceRoot":"","sources":["../../src/shared/index.ts"],"names":[],"mappings":"AAAA,OAAO,EACL,SAAS,GAIV,MAAM,iBAAiB,CAAC;AACzB,OAAO,EAAE,QAAQ,EAAe,MAAM,gBAAgB,CAAC;AACvD,OAAO,EAAE,sBAAsB,EAAE,MAAM,kBAAkB,CAAC;AAC1D,OAAO,EAAE,QAAQ,EAAE,MAAM,eAAe,CAAC;AACzC,OAAO,EACL,+BAA+B,EAC/B,sBAAsB,GAEvB,MAAM,qBAAqB,CAAC;AAC7B,OAAO,EACL,iCAAiC,EACjC,0BAA0B,EAC1B,yBAAyB,EACzB,gCAAgC,EAChC,2BAA2B,GAC5B,MAAM,uBAAuB,CAAC;AAC/B,OAAO,EACL,8BAA8B,EAC9B,uBAAuB,EACvB,6BAA6B,EAC7B,6BAA6B,EAC7B,2BAA2B,EAC3B,mCAAmC,EACnC,8BAA8B,EAC9B,sCAAsC,GAIvC,MAAM,6BAA6B,CAAC","sourcesContent":["export {\n  agentChat,\n  type AgentChatMessage,\n  type AgentChatCallOptions,\n  type AgentChatResponse,\n} from \"./agent-chat.js\";\nexport { agentEnv, type EnvVar } from \"./agent-env.js\";\nexport { extractOAuthStateAppId } from \"./oauth-state.js\";\nexport { truncate } from \"./truncate.js\";\nexport {\n  llmConnectionTrackingProperties,\n  normalizeLlmConnection,\n  type LlmConnectionStatus,\n} from \"./llm-connection.js\";\nexport {\n  DISPATCH_WORKSPACE_ROOT_REDIRECTS,\n  RESERVED_WORKSPACE_APP_IDS,\n  assertValidWorkspaceAppId,\n  getWorkspaceAppIdValidationError,\n  isValidWorkspaceAppIdFormat,\n} from \"./workspace-app-id.js\";\nexport {\n  DEFAULT_WORKSPACE_APP_AUDIENCE,\n  WORKSPACE_APP_AUDIENCES,\n  normalizeWorkspaceAppAudience,\n  normalizeWorkspaceAppPathList,\n  workspaceAppAudienceFromEnv,\n  workspaceAppAudienceFromPackageJson,\n  workspaceAppRouteAccessFromEnv,\n  workspaceAppRouteAccessFromPackageJson,\n  type WorkspaceAppRouteAccess,\n  type WorkspaceAppRouteAccessFromConfig,\n  type WorkspaceAppAudience,\n} from \"./workspace-app-audience.js\";\n"]}

package/dist/shared/llm-connection.d.ts

@@ -0,0 +1,10 @@
+export interface LlmConnectionStatus {
+    configured?: boolean;
+    engine?: string | null;
+    model?: string | null;
+    source?: string | null;
+    envVar?: string | null;
+}
+export declare function normalizeLlmConnection(engine: string | null | undefined): string;
+export declare function llmConnectionTrackingProperties(status: LlmConnectionStatus | null | undefined): Record<string, unknown>;
+//# sourceMappingURL=llm-connection.d.ts.map

package/dist/shared/llm-connection.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"llm-connection.d.ts","sourceRoot":"","sources":["../../src/shared/llm-connection.ts"],"names":[],"mappings":"AAAA,MAAM,WAAW,mBAAmB;IAClC,UAAU,CAAC,EAAE,OAAO,CAAC;IACrB,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACvB,KAAK,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACtB,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;IACvB,MAAM,CAAC,EAAE,MAAM,GAAG,IAAI,CAAC;CACxB;AAED,wBAAgB,sBAAsB,CACpC,MAAM,EAAE,MAAM,GAAG,IAAI,GAAG,SAAS,GAChC,MAAM,CAOR;AAED,wBAAgB,+BAA+B,CAC7C,MAAM,EAAE,mBAAmB,GAAG,IAAI,GAAG,SAAS,GAC7C,MAAM,CAAC,MAAM,EAAE,OAAO,CAAC,CAoBzB"}

package/dist/shared/llm-connection.js

@@ -0,0 +1,29 @@
+export function normalizeLlmConnection(engine) {
+    const value = typeof engine === "string" ? engine.trim() : "";
+    if (!value)
+        return "none";
+    if (value.startsWith("ai-sdk:")) {
+        return value.slice("ai-sdk:".length) || value;
+    }
+    return value;
+}
+export function llmConnectionTrackingProperties(status) {
+    if (!status) {
+        return { llm_connection: "unknown" };
+    }
+    if (!status.configured || !status.engine) {
+        return {
+            llm_connection: "none",
+            llm_connection_configured: false,
+        };
+    }
+    return {
+        llm_connection: normalizeLlmConnection(status.engine),
+        llm_connection_configured: true,
+        llm_engine: status.engine,
+        ...(status.model ? { llm_model: status.model } : {}),
+        ...(status.source ? { llm_connection_source: status.source } : {}),
+        ...(status.envVar ? { llm_connection_env_var: status.envVar } : {}),
+    };
+}
+//# sourceMappingURL=llm-connection.js.map

package/dist/shared/llm-connection.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"llm-connection.js","sourceRoot":"","sources":["../../src/shared/llm-connection.ts"],"names":[],"mappings":"AAQA,MAAM,UAAU,sBAAsB,CACpC,MAAiC;IAEjC,MAAM,KAAK,GAAG,OAAO,MAAM,KAAK,QAAQ,CAAC,CAAC,CAAC,MAAM,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;IAC9D,IAAI,CAAC,KAAK;QAAE,OAAO,MAAM,CAAC;IAC1B,IAAI,KAAK,CAAC,UAAU,CAAC,SAAS,CAAC,EAAE,CAAC;QAChC,OAAO,KAAK,CAAC,KAAK,CAAC,SAAS,CAAC,MAAM,CAAC,IAAI,KAAK,CAAC;IAChD,CAAC;IACD,OAAO,KAAK,CAAC;AACf,CAAC;AAED,MAAM,UAAU,+BAA+B,CAC7C,MAA8C;IAE9C,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,OAAO,EAAE,cAAc,EAAE,SAAS,EAAE,CAAC;IACvC,CAAC;IAED,IAAI,CAAC,MAAM,CAAC,UAAU,IAAI,CAAC,MAAM,CAAC,MAAM,EAAE,CAAC;QACzC,OAAO;YACL,cAAc,EAAE,MAAM;YACtB,yBAAyB,EAAE,KAAK;SACjC,CAAC;IACJ,CAAC;IAED,OAAO;QACL,cAAc,EAAE,sBAAsB,CAAC,MAAM,CAAC,MAAM,CAAC;QACrD,yBAAyB,EAAE,IAAI;QAC/B,UAAU,EAAE,MAAM,CAAC,MAAM;QACzB,GAAG,CAAC,MAAM,CAAC,KAAK,CAAC,CAAC,CAAC,EAAE,SAAS,EAAE,MAAM,CAAC,KAAK,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QACpD,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,qBAAqB,EAAE,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;QAClE,GAAG,CAAC,MAAM,CAAC,MAAM,CAAC,CAAC,CAAC,EAAE,sBAAsB,EAAE,MAAM,CAAC,MAAM,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC;KACpE,CAAC;AACJ,CAAC","sourcesContent":["export interface LlmConnectionStatus {\n  configured?: boolean;\n  engine?: string | null;\n  model?: string | null;\n  source?: string | null;\n  envVar?: string | null;\n}\n\nexport function normalizeLlmConnection(\n  engine: string | null | undefined,\n): string {\n  const value = typeof engine === \"string\" ? engine.trim() : \"\";\n  if (!value) return \"none\";\n  if (value.startsWith(\"ai-sdk:\")) {\n    return value.slice(\"ai-sdk:\".length) || value;\n  }\n  return value;\n}\n\nexport function llmConnectionTrackingProperties(\n  status: LlmConnectionStatus | null | undefined,\n): Record<string, unknown> {\n  if (!status) {\n    return { llm_connection: \"unknown\" };\n  }\n\n  if (!status.configured || !status.engine) {\n    return {\n      llm_connection: \"none\",\n      llm_connection_configured: false,\n    };\n  }\n\n  return {\n    llm_connection: normalizeLlmConnection(status.engine),\n    llm_connection_configured: true,\n    llm_engine: status.engine,\n    ...(status.model ? { llm_model: status.model } : {}),\n    ...(status.source ? { llm_connection_source: status.source } : {}),\n    ...(status.envVar ? { llm_connection_env_var: status.envVar } : {}),\n  };\n}\n"]}

package/dist/shared/workspace-app-audience.d.ts

@@ -0,0 +1,25 @@
+export declare const WORKSPACE_APP_AUDIENCES: readonly ["internal", "public"];
+export type WorkspaceAppAudience = (typeof WORKSPACE_APP_AUDIENCES)[number];
+export declare const DEFAULT_WORKSPACE_APP_AUDIENCE: WorkspaceAppAudience;
+export interface WorkspaceAppRouteAccess {
+    publicPaths: string[];
+    protectedPaths: string[];
+}
+export declare function normalizeWorkspaceAppAudience(value: unknown): WorkspaceAppAudience;
+export declare function normalizeWorkspaceAppPathList(value: unknown): string[];
+export declare function workspaceAppAudienceFromEnv(env?: Record<string, string | undefined>): WorkspaceAppAudience | undefined;
+export declare function workspaceAppRouteAccessFromEnv(env?: Record<string, string | undefined>): WorkspaceAppRouteAccess;
+export declare function workspaceAppAudienceFromPackageJson(pkg: unknown): WorkspaceAppAudience | undefined;
+/**
+ * Per-app route-access config read from a `package.json`. Each field is
+ * `undefined` when the corresponding key is fully absent from every
+ * supported alias chain — that lets callers distinguish "user didn't say"
+ * from "user set [] to clear inherited overrides". `workspaceAppRouteAccess`
+ * always emits a full `WorkspaceAppRouteAccess` for runtime consumption.
+ */
+export interface WorkspaceAppRouteAccessFromConfig {
+    publicPaths?: string[];
+    protectedPaths?: string[];
+}
+export declare function workspaceAppRouteAccessFromPackageJson(pkg: unknown): WorkspaceAppRouteAccessFromConfig;
+//# sourceMappingURL=workspace-app-audience.d.ts.map

package/dist/shared/workspace-app-audience.d.ts.map

@@ -0,0 +1 @@
+{"version":3,"file":"workspace-app-audience.d.ts","sourceRoot":"","sources":["../../src/shared/workspace-app-audience.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,uBAAuB,iCAAkC,CAAC;AAEvE,MAAM,MAAM,oBAAoB,GAAG,CAAC,OAAO,uBAAuB,CAAC,CAAC,MAAM,CAAC,CAAC;AAE5E,eAAO,MAAM,8BAA8B,EAAE,oBAAiC,CAAC;AAE/E,MAAM,WAAW,uBAAuB;IACtC,WAAW,EAAE,MAAM,EAAE,CAAC;IACtB,cAAc,EAAE,MAAM,EAAE,CAAC;CAC1B;AAED,wBAAgB,6BAA6B,CAC3C,KAAK,EAAE,OAAO,GACb,oBAAoB,CAEtB;AAED,wBAAgB,6BAA6B,CAAC,KAAK,EAAE,OAAO,GAAG,MAAM,EAAE,CAyBtE;AAED,wBAAgB,2BAA2B,CACzC,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,GACvC,oBAAoB,GAAG,SAAS,CAOlC;AAED,wBAAgB,8BAA8B,CAC5C,GAAG,CAAC,EAAE,MAAM,CAAC,MAAM,EAAE,MAAM,GAAG,SAAS,CAAC,GACvC,uBAAuB,CAYzB;AAED,wBAAgB,mCAAmC,CACjD,GAAG,EAAE,OAAO,GACX,oBAAoB,GAAG,SAAS,CASlC;AAED;;;;;;GAMG;AACH,MAAM,WAAW,iCAAiC;IAChD,WAAW,CAAC,EAAE,MAAM,EAAE,CAAC;IACvB,cAAc,CAAC,EAAE,MAAM,EAAE,CAAC;CAC3B;AAED,wBAAgB,sCAAsC,CACpD,GAAG,EAAE,OAAO,GACX,iCAAiC,CAuBnC"}

package/dist/shared/workspace-app-audience.js

@@ -0,0 +1,126 @@
+export const WORKSPACE_APP_AUDIENCES = ["internal", "public"];
+export const DEFAULT_WORKSPACE_APP_AUDIENCE = "internal";
+export function normalizeWorkspaceAppAudience(value) {
+    return value === "public" ? "public" : DEFAULT_WORKSPACE_APP_AUDIENCE;
+}
+export function normalizeWorkspaceAppPathList(value) {
+    let rawPaths = [];
+    if (Array.isArray(value)) {
+        rawPaths = value;
+    }
+    else if (typeof value === "string") {
+        const trimmed = value.trim();
+        if (!trimmed)
+            return [];
+        try {
+            const parsed = JSON.parse(trimmed);
+            // When JSON parses to a non-array (e.g. a single quoted string
+            // `"/api"`), use the parsed value, not the original quoted form —
+            // otherwise the `/`-prefix filter below silently drops it.
+            rawPaths = Array.isArray(parsed) ? parsed : [parsed];
+        }
+        catch {
+            rawPaths = trimmed.split(",");
+        }
+    }
+    const paths = rawPaths
+        .map((entry) => (typeof entry === "string" ? entry.trim() : ""))
+        .filter((entry) => entry.startsWith("/"))
+        .map((entry) => entry.length > 1 && entry.endsWith("/") ? entry.slice(0, -1) : entry);
+    return Array.from(new Set(paths));
+}
+export function workspaceAppAudienceFromEnv(env) {
+    const source = env ?? (typeof process !== "undefined" ? process.env : {});
+    const raw = source.AGENT_NATIVE_WORKSPACE_APP_AUDIENCE ??
+        source.VITE_AGENT_NATIVE_WORKSPACE_APP_AUDIENCE;
+    if (raw === undefined)
+        return undefined;
+    return normalizeWorkspaceAppAudience(raw);
+}
+export function workspaceAppRouteAccessFromEnv(env) {
+    const source = env ?? (typeof process !== "undefined" ? process.env : {});
+    return {
+        publicPaths: normalizeWorkspaceAppPathList(source.AGENT_NATIVE_WORKSPACE_APP_PUBLIC_PATHS ??
+            source.VITE_AGENT_NATIVE_WORKSPACE_APP_PUBLIC_PATHS),
+        protectedPaths: normalizeWorkspaceAppPathList(source.AGENT_NATIVE_WORKSPACE_APP_PROTECTED_PATHS ??
+            source.VITE_AGENT_NATIVE_WORKSPACE_APP_PROTECTED_PATHS),
+    };
+}
+export function workspaceAppAudienceFromPackageJson(pkg) {
+    const config = workspaceAppConfigFromPackageJson(pkg);
+    const raw = config?.workspaceApp?.audience ??
+        config?.workspace?.audience ??
+        config?.audience ??
+        config?.root?.workspaceAppAudience;
+    if (raw === undefined)
+        return undefined;
+    return normalizeWorkspaceAppAudience(raw);
+}
+export function workspaceAppRouteAccessFromPackageJson(pkg) {
+    const config = workspaceAppConfigFromPackageJson(pkg);
+    const rawPublic = config?.workspaceApp?.publicPaths ??
+        config?.workspaceApp?.publicPagePaths ??
+        config?.workspace?.publicPaths ??
+        config?.publicPaths ??
+        config?.root?.workspaceAppPublicPaths;
+    const rawProtected = config?.workspaceApp?.protectedPaths ??
+        config?.workspaceApp?.privatePaths ??
+        config?.workspaceApp?.authRequiredPaths ??
+        config?.workspace?.protectedPaths ??
+        config?.protectedPaths ??
+        config?.root?.workspaceAppProtectedPaths;
+    return {
+        ...(isPathConfigValueSet(rawPublic)
+            ? { publicPaths: normalizeWorkspaceAppPathList(rawPublic) }
+            : {}),
+        ...(isPathConfigValueSet(rawProtected)
+            ? { protectedPaths: normalizeWorkspaceAppPathList(rawProtected) }
+            : {}),
+    };
+}
+/**
+ * Only treat a package.json field as "explicitly set" when its raw value is a
+ * supported type — an array, a string, or explicit null. Garbage types like
+ * `false`, `0`, or `{}` are ignored (left as undefined) so a typo such as
+ * `"publicPaths": false` doesn't silently clear an inherited manifest
+ * override. (`normalizeWorkspaceAppPathList` happily turns those into `[]`,
+ * which without this guard would be indistinguishable from a deliberate
+ * empty array.)
+ */
+function isPathConfigValueSet(value) {
+    if (value === undefined)
+        return false;
+    if (value === null)
+        return true;
+    if (Array.isArray(value))
+        return true;
+    return typeof value === "string";
+}
+function workspaceAppConfigFromPackageJson(pkg) {
+    if (!pkg || typeof pkg !== "object" || Array.isArray(pkg))
+        return undefined;
+    const record = pkg;
+    const config = record["agent-native"] ?? record.agentNative;
+    const nested = config && typeof config === "object" && !Array.isArray(config)
+        ? config
+        : {};
+    const workspaceApp = nested.workspaceApp &&
+        typeof nested.workspaceApp === "object" &&
+        !Array.isArray(nested.workspaceApp)
+        ? nested.workspaceApp
+        : undefined;
+    const workspace = nested.workspace &&
+        typeof nested.workspace === "object" &&
+        !Array.isArray(nested.workspace)
+        ? nested.workspace
+        : undefined;
+    return {
+        root: record,
+        workspaceApp,
+        workspace,
+        audience: nested.audience,
+        publicPaths: nested.publicPaths,
+        protectedPaths: nested.protectedPaths,
+    };
+}
+//# sourceMappingURL=workspace-app-audience.js.map

package/dist/shared/workspace-app-audience.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"workspace-app-audience.js","sourceRoot":"","sources":["../../src/shared/workspace-app-audience.ts"],"names":[],"mappings":"AAAA,MAAM,CAAC,MAAM,uBAAuB,GAAG,CAAC,UAAU,EAAE,QAAQ,CAAU,CAAC;AAIvE,MAAM,CAAC,MAAM,8BAA8B,GAAyB,UAAU,CAAC;AAO/E,MAAM,UAAU,6BAA6B,CAC3C,KAAc;IAEd,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,QAAQ,CAAC,CAAC,CAAC,8BAA8B,CAAC;AACxE,CAAC;AAED,MAAM,UAAU,6BAA6B,CAAC,KAAc;IAC1D,IAAI,QAAQ,GAAc,EAAE,CAAC;IAC7B,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC,EAAE,CAAC;QACzB,QAAQ,GAAG,KAAK,CAAC;IACnB,CAAC;SAAM,IAAI,OAAO,KAAK,KAAK,QAAQ,EAAE,CAAC;QACrC,MAAM,OAAO,GAAG,KAAK,CAAC,IAAI,EAAE,CAAC;QAC7B,IAAI,CAAC,OAAO;YAAE,OAAO,EAAE,CAAC;QACxB,IAAI,CAAC;YACH,MAAM,MAAM,GAAG,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,CAAC;YACnC,+DAA+D;YAC/D,kEAAkE;YAClE,2DAA2D;YAC3D,QAAQ,GAAG,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC,CAAC,CAAC,MAAM,CAAC,CAAC;QACvD,CAAC;QAAC,MAAM,CAAC;YACP,QAAQ,GAAG,OAAO,CAAC,KAAK,CAAC,GAAG,CAAC,CAAC;QAChC,CAAC;IACH,CAAC;IAED,MAAM,KAAK,GAAG,QAAQ;SACnB,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,CAAC,OAAO,KAAK,KAAK,QAAQ,CAAC,CAAC,CAAC,KAAK,CAAC,IAAI,EAAE,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;SAC/D,MAAM,CAAC,CAAC,KAAK,EAAE,EAAE,CAAC,KAAK,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC;SACxC,GAAG,CAAC,CAAC,KAAK,EAAE,EAAE,CACb,KAAK,CAAC,MAAM,GAAG,CAAC,IAAI,KAAK,CAAC,QAAQ,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,KAAK,CAAC,KAAK,CAAC,CAAC,EAAE,CAAC,CAAC,CAAC,CAAC,CAAC,CAAC,KAAK,CACrE,CAAC;IACJ,OAAO,KAAK,CAAC,IAAI,CAAC,IAAI,GAAG,CAAC,KAAK,CAAC,CAAC,CAAC;AACpC,CAAC;AAED,MAAM,UAAU,2BAA2B,CACzC,GAAwC;IAExC,MAAM,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,OAAO,KAAK,WAAW,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;IAC1E,MAAM,GAAG,GACP,MAAM,CAAC,mCAAmC;QAC1C,MAAM,CAAC,wCAAwC,CAAC;IAClD,IAAI,GAAG,KAAK,SAAS;QAAE,OAAO,SAAS,CAAC;IACxC,OAAO,6BAA6B,CAAC,GAAG,CAAC,CAAC;AAC5C,CAAC;AAED,MAAM,UAAU,8BAA8B,CAC5C,GAAwC;IAExC,MAAM,MAAM,GAAG,GAAG,IAAI,CAAC,OAAO,OAAO,KAAK,WAAW,CAAC,CAAC,CAAC,OAAO,CAAC,GAAG,CAAC,CAAC,CAAC,EAAE,CAAC,CAAC;IAC1E,OAAO;QACL,WAAW,EAAE,6BAA6B,CACxC,MAAM,CAAC,uCAAuC;YAC5C,MAAM,CAAC,4CAA4C,CACtD;QACD,cAAc,EAAE,6BAA6B,CAC3C,MAAM,CAAC,0CAA0C;YAC/C,MAAM,CAAC,+CAA+C,CACzD;KACF,CAAC;AACJ,CAAC;AAED,MAAM,UAAU,mCAAmC,CACjD,GAAY;IAEZ,MAAM,MAAM,GAAG,iCAAiC,CAAC,GAAG,CAAC,CAAC;IACtD,MAAM,GAAG,GACP,MAAM,EAAE,YAAY,EAAE,QAAQ;QAC9B,MAAM,EAAE,SAAS,EAAE,QAAQ;QAC3B,MAAM,EAAE,QAAQ;QAChB,MAAM,EAAE,IAAI,EAAE,oBAAoB,CAAC;IACrC,IAAI,GAAG,KAAK,SAAS;QAAE,OAAO,SAAS,CAAC;IACxC,OAAO,6BAA6B,CAAC,GAAG,CAAC,CAAC;AAC5C,CAAC;AAcD,MAAM,UAAU,sCAAsC,CACpD,GAAY;IAEZ,MAAM,MAAM,GAAG,iCAAiC,CAAC,GAAG,CAAC,CAAC;IACtD,MAAM,SAAS,GACb,MAAM,EAAE,YAAY,EAAE,WAAW;QACjC,MAAM,EAAE,YAAY,EAAE,eAAe;QACrC,MAAM,EAAE,SAAS,EAAE,WAAW;QAC9B,MAAM,EAAE,WAAW;QACnB,MAAM,EAAE,IAAI,EAAE,uBAAuB,CAAC;IACxC,MAAM,YAAY,GAChB,MAAM,EAAE,YAAY,EAAE,cAAc;QACpC,MAAM,EAAE,YAAY,EAAE,YAAY;QAClC,MAAM,EAAE,YAAY,EAAE,iBAAiB;QACvC,MAAM,EAAE,SAAS,EAAE,cAAc;QACjC,MAAM,EAAE,cAAc;QACtB,MAAM,EAAE,IAAI,EAAE,0BAA0B,CAAC;IAC3C,OAAO;QACL,GAAG,CAAC,oBAAoB,CAAC,SAAS,CAAC;YACjC,CAAC,CAAC,EAAE,WAAW,EAAE,6BAA6B,CAAC,SAAS,CAAC,EAAE;YAC3D,CAAC,CAAC,EAAE,CAAC;QACP,GAAG,CAAC,oBAAoB,CAAC,YAAY,CAAC;YACpC,CAAC,CAAC,EAAE,cAAc,EAAE,6BAA6B,CAAC,YAAY,CAAC,EAAE;YACjE,CAAC,CAAC,EAAE,CAAC;KACR,CAAC;AACJ,CAAC;AAED;;;;;;;;GAQG;AACH,SAAS,oBAAoB,CAAC,KAAc;IAC1C,IAAI,KAAK,KAAK,SAAS;QAAE,OAAO,KAAK,CAAC;IACtC,IAAI,KAAK,KAAK,IAAI;QAAE,OAAO,IAAI,CAAC;IAChC,IAAI,KAAK,CAAC,OAAO,CAAC,KAAK,CAAC;QAAE,OAAO,IAAI,CAAC;IACtC,OAAO,OAAO,KAAK,KAAK,QAAQ,CAAC;AACnC,CAAC;AAED,SAAS,iCAAiC,CAAC,GAAY;IAUrD,IAAI,CAAC,GAAG,IAAI,OAAO,GAAG,KAAK,QAAQ,IAAI,KAAK,CAAC,OAAO,CAAC,GAAG,CAAC;QAAE,OAAO,SAAS,CAAC;IAC5E,MAAM,MAAM,GAAG,GAA0B,CAAC;IAC1C,MAAM,MAAM,GAAG,MAAM,CAAC,cAAc,CAAC,IAAI,MAAM,CAAC,WAAW,CAAC;IAC5D,MAAM,MAAM,GACV,MAAM,IAAI,OAAO,MAAM,KAAK,QAAQ,IAAI,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC;QAC5D,CAAC,CAAE,MAA8B;QACjC,CAAC,CAAC,EAAE,CAAC;IACT,MAAM,YAAY,GAChB,MAAM,CAAC,YAAY;QACnB,OAAO,MAAM,CAAC,YAAY,KAAK,QAAQ;QACvC,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,YAAY,CAAC;QACjC,CAAC,CAAE,MAAM,CAAC,YAAoC;QAC9C,CAAC,CAAC,SAAS,CAAC;IAChB,MAAM,SAAS,GACb,MAAM,CAAC,SAAS;QAChB,OAAO,MAAM,CAAC,SAAS,KAAK,QAAQ;QACpC,CAAC,KAAK,CAAC,OAAO,CAAC,MAAM,CAAC,SAAS,CAAC;QAC9B,CAAC,CAAE,MAAM,CAAC,SAAiC;QAC3C,CAAC,CAAC,SAAS,CAAC;IAChB,OAAO;QACL,IAAI,EAAE,MAAM;QACZ,YAAY;QACZ,SAAS;QACT,QAAQ,EAAE,MAAM,CAAC,QAAQ;QACzB,WAAW,EAAE,MAAM,CAAC,WAAW;QAC/B,cAAc,EAAE,MAAM,CAAC,cAAc;KACtC,CAAC;AACJ,CAAC","sourcesContent":["export const WORKSPACE_APP_AUDIENCES = [\"internal\", \"public\"] as const;\n\nexport type WorkspaceAppAudience = (typeof WORKSPACE_APP_AUDIENCES)[number];\n\nexport const DEFAULT_WORKSPACE_APP_AUDIENCE: WorkspaceAppAudience = \"internal\";\n\nexport interface WorkspaceAppRouteAccess {\n  publicPaths: string[];\n  protectedPaths: string[];\n}\n\nexport function normalizeWorkspaceAppAudience(\n  value: unknown,\n): WorkspaceAppAudience {\n  return value === \"public\" ? \"public\" : DEFAULT_WORKSPACE_APP_AUDIENCE;\n}\n\nexport function normalizeWorkspaceAppPathList(value: unknown): string[] {\n  let rawPaths: unknown[] = [];\n  if (Array.isArray(value)) {\n    rawPaths = value;\n  } else if (typeof value === \"string\") {\n    const trimmed = value.trim();\n    if (!trimmed) return [];\n    try {\n      const parsed = JSON.parse(trimmed);\n      // When JSON parses to a non-array (e.g. a single quoted string\n      // `\"/api\"`), use the parsed value, not the original quoted form —\n      // otherwise the `/`-prefix filter below silently drops it.\n      rawPaths = Array.isArray(parsed) ? parsed : [parsed];\n    } catch {\n      rawPaths = trimmed.split(\",\");\n    }\n  }\n\n  const paths = rawPaths\n    .map((entry) => (typeof entry === \"string\" ? entry.trim() : \"\"))\n    .filter((entry) => entry.startsWith(\"/\"))\n    .map((entry) =>\n      entry.length > 1 && entry.endsWith(\"/\") ? entry.slice(0, -1) : entry,\n    );\n  return Array.from(new Set(paths));\n}\n\nexport function workspaceAppAudienceFromEnv(\n  env?: Record<string, string | undefined>,\n): WorkspaceAppAudience | undefined {\n  const source = env ?? (typeof process !== \"undefined\" ? process.env : {});\n  const raw =\n    source.AGENT_NATIVE_WORKSPACE_APP_AUDIENCE ??\n    source.VITE_AGENT_NATIVE_WORKSPACE_APP_AUDIENCE;\n  if (raw === undefined) return undefined;\n  return normalizeWorkspaceAppAudience(raw);\n}\n\nexport function workspaceAppRouteAccessFromEnv(\n  env?: Record<string, string | undefined>,\n): WorkspaceAppRouteAccess {\n  const source = env ?? (typeof process !== \"undefined\" ? process.env : {});\n  return {\n    publicPaths: normalizeWorkspaceAppPathList(\n      source.AGENT_NATIVE_WORKSPACE_APP_PUBLIC_PATHS ??\n        source.VITE_AGENT_NATIVE_WORKSPACE_APP_PUBLIC_PATHS,\n    ),\n    protectedPaths: normalizeWorkspaceAppPathList(\n      source.AGENT_NATIVE_WORKSPACE_APP_PROTECTED_PATHS ??\n        source.VITE_AGENT_NATIVE_WORKSPACE_APP_PROTECTED_PATHS,\n    ),\n  };\n}\n\nexport function workspaceAppAudienceFromPackageJson(\n  pkg: unknown,\n): WorkspaceAppAudience | undefined {\n  const config = workspaceAppConfigFromPackageJson(pkg);\n  const raw =\n    config?.workspaceApp?.audience ??\n    config?.workspace?.audience ??\n    config?.audience ??\n    config?.root?.workspaceAppAudience;\n  if (raw === undefined) return undefined;\n  return normalizeWorkspaceAppAudience(raw);\n}\n\n/**\n * Per-app route-access config read from a `package.json`. Each field is\n * `undefined` when the corresponding key is fully absent from every\n * supported alias chain — that lets callers distinguish \"user didn't say\"\n * from \"user set [] to clear inherited overrides\". `workspaceAppRouteAccess`\n * always emits a full `WorkspaceAppRouteAccess` for runtime consumption.\n */\nexport interface WorkspaceAppRouteAccessFromConfig {\n  publicPaths?: string[];\n  protectedPaths?: string[];\n}\n\nexport function workspaceAppRouteAccessFromPackageJson(\n  pkg: unknown,\n): WorkspaceAppRouteAccessFromConfig {\n  const config = workspaceAppConfigFromPackageJson(pkg);\n  const rawPublic =\n    config?.workspaceApp?.publicPaths ??\n    config?.workspaceApp?.publicPagePaths ??\n    config?.workspace?.publicPaths ??\n    config?.publicPaths ??\n    config?.root?.workspaceAppPublicPaths;\n  const rawProtected =\n    config?.workspaceApp?.protectedPaths ??\n    config?.workspaceApp?.privatePaths ??\n    config?.workspaceApp?.authRequiredPaths ??\n    config?.workspace?.protectedPaths ??\n    config?.protectedPaths ??\n    config?.root?.workspaceAppProtectedPaths;\n  return {\n    ...(isPathConfigValueSet(rawPublic)\n      ? { publicPaths: normalizeWorkspaceAppPathList(rawPublic) }\n      : {}),\n    ...(isPathConfigValueSet(rawProtected)\n      ? { protectedPaths: normalizeWorkspaceAppPathList(rawProtected) }\n      : {}),\n  };\n}\n\n/**\n * Only treat a package.json field as \"explicitly set\" when its raw value is a\n * supported type — an array, a string, or explicit null. Garbage types like\n * `false`, `0`, or `{}` are ignored (left as undefined) so a typo such as\n * `\"publicPaths\": false` doesn't silently clear an inherited manifest\n * override. (`normalizeWorkspaceAppPathList` happily turns those into `[]`,\n * which without this guard would be indistinguishable from a deliberate\n * empty array.)\n */\nfunction isPathConfigValueSet(value: unknown): boolean {\n  if (value === undefined) return false;\n  if (value === null) return true;\n  if (Array.isArray(value)) return true;\n  return typeof value === \"string\";\n}\n\nfunction workspaceAppConfigFromPackageJson(pkg: unknown):\n  | {\n      root: Record<string, any>;\n      workspaceApp?: Record<string, any>;\n      workspace?: Record<string, any>;\n      audience?: unknown;\n      publicPaths?: unknown;\n      protectedPaths?: unknown;\n    }\n  | undefined {\n  if (!pkg || typeof pkg !== \"object\" || Array.isArray(pkg)) return undefined;\n  const record = pkg as Record<string, any>;\n  const config = record[\"agent-native\"] ?? record.agentNative;\n  const nested =\n    config && typeof config === \"object\" && !Array.isArray(config)\n      ? (config as Record<string, any>)\n      : {};\n  const workspaceApp =\n    nested.workspaceApp &&\n    typeof nested.workspaceApp === \"object\" &&\n    !Array.isArray(nested.workspaceApp)\n      ? (nested.workspaceApp as Record<string, any>)\n      : undefined;\n  const workspace =\n    nested.workspace &&\n    typeof nested.workspace === \"object\" &&\n    !Array.isArray(nested.workspace)\n      ? (nested.workspace as Record<string, any>)\n      : undefined;\n  return {\n    root: record,\n    workspaceApp,\n    workspace,\n    audience: nested.audience,\n    publicPaths: nested.publicPaths,\n    protectedPaths: nested.protectedPaths,\n  };\n}\n"]}

package/dist/shared/workspace-app-id.d.ts

@@ -1,4 +1,4 @@
-export declare const DISPATCH_WORKSPACE_ROOT_REDIRECTS: readonly [readonly ["overview", "overview"], readonly ["login", "login"], readonly ["signup", "signup"], readonly ["apps", "apps"], readonly ["apps/new-app", "new-app"], readonly ["new-app", "new-app"], readonly ["vault", "vault"], readonly ["integrations", "integrations"], readonly ["agents", "agents"], readonly ["workspace", "workspace"], readonly ["messaging", "messaging"], readonly ["extensions", "extensions"], readonly ["destinations", "destinations"], readonly ["identities", "identities"], readonly ["approval", "approval"], readonly ["approvals", "approvals"], readonly ["audit", "audit"], readonly ["team", "team"]];
+export declare const DISPATCH_WORKSPACE_ROOT_REDIRECTS: readonly [readonly ["overview", "overview"], readonly ["login", "login"], readonly ["signup", "signup"], readonly ["apps", "apps"], readonly ["apps/new-app", "new-app"], readonly ["new-app", "new-app"], readonly ["vault", "vault"], readonly ["integrations", "integrations"], readonly ["agents", "agents"], readonly ["workspace", "workspace"], readonly ["messaging", "messaging"], readonly ["extensions", "extensions"], readonly ["destinations", "destinations"], readonly ["identities", "identities"], readonly ["approval", "approval"], readonly ["approvals", "approvals"], readonly ["audit", "audit"], readonly ["thread-debug", "thread-debug"], readonly ["team", "team"]];
 export declare const RESERVED_WORKSPACE_APP_IDS: Set<string>;
 export declare function isValidWorkspaceAppIdFormat(appId: string): boolean;
 export declare function getWorkspaceAppIdValidationError(appId: string): string | null;

package/dist/shared/workspace-app-id.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"workspace-app-id.d.ts","sourceRoot":"","sources":["../../src/shared/workspace-app-id.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,iCAAiC,snBAmBpC,CAAC;AAEX,eAAO,MAAM,0BAA0B,aAYrC,CAAC;AAEH,wBAAgB,2BAA2B,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAElE;AAED,wBAAgB,gCAAgC,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAQ7E;AAED,wBAAgB,yBAAyB,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI,CAG7D"}
+{"version":3,"file":"workspace-app-id.d.ts","sourceRoot":"","sources":["../../src/shared/workspace-app-id.ts"],"names":[],"mappings":"AAAA,eAAO,MAAM,iCAAiC,iqBAoBpC,CAAC;AAEX,eAAO,MAAM,0BAA0B,aAYrC,CAAC;AAEH,wBAAgB,2BAA2B,CAAC,KAAK,EAAE,MAAM,GAAG,OAAO,CAElE;AAED,wBAAgB,gCAAgC,CAAC,KAAK,EAAE,MAAM,GAAG,MAAM,GAAG,IAAI,CAQ7E;AAED,wBAAgB,yBAAyB,CAAC,KAAK,EAAE,MAAM,GAAG,IAAI,CAG7D"}

package/dist/shared/workspace-app-id.js

@@ -16,6 +16,7 @@ export const DISPATCH_WORKSPACE_ROOT_REDIRECTS = [
     ["approval", "approval"],
     ["approvals", "approvals"],
     ["audit", "audit"],
+    ["thread-debug", "thread-debug"],
     ["team", "team"],
 ];
 export const RESERVED_WORKSPACE_APP_IDS = new Set([

package/dist/shared/workspace-app-id.js.map

@@ -1 +1 @@
-{"version":3,"file":"workspace-app-id.js","sourceRoot":"","sources":["../../src/shared/workspace-app-id.ts"],"names":[],"mappings":"AAAA,MAAM,CAAC,MAAM,iCAAiC,GAAG;IAC/C,CAAC,UAAU,EAAE,UAAU,CAAC;IACxB,CAAC,OAAO,EAAE,OAAO,CAAC;IAClB,CAAC,QAAQ,EAAE,QAAQ,CAAC;IACpB,CAAC,MAAM,EAAE,MAAM,CAAC;IAChB,CAAC,cAAc,EAAE,SAAS,CAAC;IAC3B,CAAC,SAAS,EAAE,SAAS,CAAC;IACtB,CAAC,OAAO,EAAE,OAAO,CAAC;IAClB,CAAC,cAAc,EAAE,cAAc,CAAC;IAChC,CAAC,QAAQ,EAAE,QAAQ,CAAC;IACpB,CAAC,WAAW,EAAE,WAAW,CAAC;IAC1B,CAAC,WAAW,EAAE,WAAW,CAAC;IAC1B,CAAC,YAAY,EAAE,YAAY,CAAC;IAC5B,CAAC,cAAc,EAAE,cAAc,CAAC;IAChC,CAAC,YAAY,EAAE,YAAY,CAAC;IAC5B,CAAC,UAAU,EAAE,UAAU,CAAC;IACxB,CAAC,WAAW,EAAE,WAAW,CAAC;IAC1B,CAAC,OAAO,EAAE,OAAO,CAAC;IAClB,CAAC,MAAM,EAAE,MAAM,CAAC;CACR,CAAC;AAEX,MAAM,CAAC,MAAM,0BAA0B,GAAG,IAAI,GAAG,CAAC;IAChD,eAAe;IACf,mBAAmB;IACnB,KAAK;IACL,MAAM;IACN,UAAU;IACV,SAAS;IACT,yEAAyE;IACzE,4EAA4E;IAC5E,0EAA0E;IAC1E,OAAO;IACP,GAAG,iCAAiC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC;CAC3D,CAAC,CAAC;AAEH,MAAM,UAAU,2BAA2B,CAAC,KAAa;IACvD,OAAO,mBAAmB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;AACzC,CAAC;AAED,MAAM,UAAU,gCAAgC,CAAC,KAAa;IAC5D,IAAI,0BAA0B,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;QAC1C,OAAO,aAAa,KAAK,uEAAuE,CAAC;IACnG,CAAC;IACD,IAAI,CAAC,2BAA2B,CAAC,KAAK,CAAC,EAAE,CAAC;QACxC,OAAO,qBAAqB,KAAK,iDAAiD,CAAC;IACrF,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,UAAU,yBAAyB,CAAC,KAAa;IACrD,MAAM,KAAK,GAAG,gCAAgC,CAAC,KAAK,CAAC,CAAC;IACtD,IAAI,KAAK;QAAE,MAAM,IAAI,KAAK,CAAC,KAAK,CAAC,CAAC;AACpC,CAAC","sourcesContent":["export const DISPATCH_WORKSPACE_ROOT_REDIRECTS = [\n  [\"overview\", \"overview\"],\n  [\"login\", \"login\"],\n  [\"signup\", \"signup\"],\n  [\"apps\", \"apps\"],\n  [\"apps/new-app\", \"new-app\"],\n  [\"new-app\", \"new-app\"],\n  [\"vault\", \"vault\"],\n  [\"integrations\", \"integrations\"],\n  [\"agents\", \"agents\"],\n  [\"workspace\", \"workspace\"],\n  [\"messaging\", \"messaging\"],\n  [\"extensions\", \"extensions\"],\n  [\"destinations\", \"destinations\"],\n  [\"identities\", \"identities\"],\n  [\"approval\", \"approval\"],\n  [\"approvals\", \"approvals\"],\n  [\"audit\", \"audit\"],\n  [\"team\", \"team\"],\n] as const;\n\nexport const RESERVED_WORKSPACE_APP_IDS = new Set([\n  \"_agent-native\",\n  \"_workspace_static\",\n  \"api\",\n  \"auth\",\n  \"dispatch\",\n  \"netlify\",\n  // Legacy alias — `tools` was the previous name for `extensions`. Keep it\n  // reserved so a user can't create a workspace app whose mount path collides\n  // with the legacy `/tools` redirect (still served by core-routes-plugin).\n  \"tools\",\n  ...DISPATCH_WORKSPACE_ROOT_REDIRECTS.map(([from]) => from),\n]);\n\nexport function isValidWorkspaceAppIdFormat(appId: string): boolean {\n  return /^[a-z][a-z0-9-]*$/.test(appId);\n}\n\nexport function getWorkspaceAppIdValidationError(appId: string): string | null {\n  if (RESERVED_WORKSPACE_APP_IDS.has(appId)) {\n    return `App name \"${appId}\" conflicts with a reserved workspace route. Choose a different name.`;\n  }\n  if (!isValidWorkspaceAppIdFormat(appId)) {\n    return `Invalid app name \"${appId}\". Use lowercase letters, numbers, and hyphens.`;\n  }\n  return null;\n}\n\nexport function assertValidWorkspaceAppId(appId: string): void {\n  const error = getWorkspaceAppIdValidationError(appId);\n  if (error) throw new Error(error);\n}\n"]}
+{"version":3,"file":"workspace-app-id.js","sourceRoot":"","sources":["../../src/shared/workspace-app-id.ts"],"names":[],"mappings":"AAAA,MAAM,CAAC,MAAM,iCAAiC,GAAG;IAC/C,CAAC,UAAU,EAAE,UAAU,CAAC;IACxB,CAAC,OAAO,EAAE,OAAO,CAAC;IAClB,CAAC,QAAQ,EAAE,QAAQ,CAAC;IACpB,CAAC,MAAM,EAAE,MAAM,CAAC;IAChB,CAAC,cAAc,EAAE,SAAS,CAAC;IAC3B,CAAC,SAAS,EAAE,SAAS,CAAC;IACtB,CAAC,OAAO,EAAE,OAAO,CAAC;IAClB,CAAC,cAAc,EAAE,cAAc,CAAC;IAChC,CAAC,QAAQ,EAAE,QAAQ,CAAC;IACpB,CAAC,WAAW,EAAE,WAAW,CAAC;IAC1B,CAAC,WAAW,EAAE,WAAW,CAAC;IAC1B,CAAC,YAAY,EAAE,YAAY,CAAC;IAC5B,CAAC,cAAc,EAAE,cAAc,CAAC;IAChC,CAAC,YAAY,EAAE,YAAY,CAAC;IAC5B,CAAC,UAAU,EAAE,UAAU,CAAC;IACxB,CAAC,WAAW,EAAE,WAAW,CAAC;IAC1B,CAAC,OAAO,EAAE,OAAO,CAAC;IAClB,CAAC,cAAc,EAAE,cAAc,CAAC;IAChC,CAAC,MAAM,EAAE,MAAM,CAAC;CACR,CAAC;AAEX,MAAM,CAAC,MAAM,0BAA0B,GAAG,IAAI,GAAG,CAAC;IAChD,eAAe;IACf,mBAAmB;IACnB,KAAK;IACL,MAAM;IACN,UAAU;IACV,SAAS;IACT,yEAAyE;IACzE,4EAA4E;IAC5E,0EAA0E;IAC1E,OAAO;IACP,GAAG,iCAAiC,CAAC,GAAG,CAAC,CAAC,CAAC,IAAI,CAAC,EAAE,EAAE,CAAC,IAAI,CAAC;CAC3D,CAAC,CAAC;AAEH,MAAM,UAAU,2BAA2B,CAAC,KAAa;IACvD,OAAO,mBAAmB,CAAC,IAAI,CAAC,KAAK,CAAC,CAAC;AACzC,CAAC;AAED,MAAM,UAAU,gCAAgC,CAAC,KAAa;IAC5D,IAAI,0BAA0B,CAAC,GAAG,CAAC,KAAK,CAAC,EAAE,CAAC;QAC1C,OAAO,aAAa,KAAK,uEAAuE,CAAC;IACnG,CAAC;IACD,IAAI,CAAC,2BAA2B,CAAC,KAAK,CAAC,EAAE,CAAC;QACxC,OAAO,qBAAqB,KAAK,iDAAiD,CAAC;IACrF,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED,MAAM,UAAU,yBAAyB,CAAC,KAAa;IACrD,MAAM,KAAK,GAAG,gCAAgC,CAAC,KAAK,CAAC,CAAC;IACtD,IAAI,KAAK;QAAE,MAAM,IAAI,KAAK,CAAC,KAAK,CAAC,CAAC;AACpC,CAAC","sourcesContent":["export const DISPATCH_WORKSPACE_ROOT_REDIRECTS = [\n  [\"overview\", \"overview\"],\n  [\"login\", \"login\"],\n  [\"signup\", \"signup\"],\n  [\"apps\", \"apps\"],\n  [\"apps/new-app\", \"new-app\"],\n  [\"new-app\", \"new-app\"],\n  [\"vault\", \"vault\"],\n  [\"integrations\", \"integrations\"],\n  [\"agents\", \"agents\"],\n  [\"workspace\", \"workspace\"],\n  [\"messaging\", \"messaging\"],\n  [\"extensions\", \"extensions\"],\n  [\"destinations\", \"destinations\"],\n  [\"identities\", \"identities\"],\n  [\"approval\", \"approval\"],\n  [\"approvals\", \"approvals\"],\n  [\"audit\", \"audit\"],\n  [\"thread-debug\", \"thread-debug\"],\n  [\"team\", \"team\"],\n] as const;\n\nexport const RESERVED_WORKSPACE_APP_IDS = new Set([\n  \"_agent-native\",\n  \"_workspace_static\",\n  \"api\",\n  \"auth\",\n  \"dispatch\",\n  \"netlify\",\n  // Legacy alias — `tools` was the previous name for `extensions`. Keep it\n  // reserved so a user can't create a workspace app whose mount path collides\n  // with the legacy `/tools` redirect (still served by core-routes-plugin).\n  \"tools\",\n  ...DISPATCH_WORKSPACE_ROOT_REDIRECTS.map(([from]) => from),\n]);\n\nexport function isValidWorkspaceAppIdFormat(appId: string): boolean {\n  return /^[a-z][a-z0-9-]*$/.test(appId);\n}\n\nexport function getWorkspaceAppIdValidationError(appId: string): string | null {\n  if (RESERVED_WORKSPACE_APP_IDS.has(appId)) {\n    return `App name \"${appId}\" conflicts with a reserved workspace route. Choose a different name.`;\n  }\n  if (!isValidWorkspaceAppIdFormat(appId)) {\n    return `Invalid app name \"${appId}\". Use lowercase letters, numbers, and hyphens.`;\n  }\n  return null;\n}\n\nexport function assertValidWorkspaceAppId(appId: string): void {\n  const error = getWorkspaceAppIdValidationError(appId);\n  if (error) throw new Error(error);\n}\n"]}

package/dist/sharing/access.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"access.d.ts","sourceRoot":"","sources":["../../src/sharing/access.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAAoB,KAAK,GAAG,EAAE,MAAM,aAAa,CAAC;AASzD,OAAO,EAAa,KAAK,SAAS,EAAE,MAAM,aAAa,CAAC;AAExD,qBAAa,cAAe,SAAQ,KAAK;IACvC,UAAU,SAAO;gBACL,OAAO,SAAc;CAIlC;AAED,MAAM,WAAW,aAAa;IAC5B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,wEAAwE;AACxE,wBAAgB,aAAa,IAAI,aAAa,CAK7C;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,YAAY,CAC1B,aAAa,EAAE,GAAG,EAClB,WAAW,EAAE,GAAG,EAChB,GAAG,GAAE,aAA+B,EACpC,OAAO,GAAE,SAAoB,EAC7B,OAAO,GAAE;IAAE,aAAa,CAAC,EAAE,OAAO,CAAA;CAAO,GACxC,GAAG,CAyCL;AAaD,MAAM,WAAW,cAAc;IAC7B,yEAAyE;IACzE,IAAI,EAAE,OAAO,GAAG,SAAS,CAAC;IAC1B,yCAAyC;IACzC,QAAQ,EAAE,GAAG,CAAC;CACf;AAED;;;GAGG;AACH,wBAAsB,aAAa,CACjC,YAAY,EAAE,MAAM,EACpB,UAAU,EAAE,MAAM,EAClB,GAAG,GAAE,aAA+B,GACnC,OAAO,CAAC,cAAc,GAAG,IAAI,CAAC,CA2BhC;AA4CD;;;GAGG;AACH,wBAAsB,YAAY,CAChC,YAAY,EAAE,MAAM,EACpB,UAAU,EAAE,MAAM,EAClB,OAAO,GAAE,SAAS,GAAG,OAAkB,EACvC,GAAG,GAAE,aAA+B,GACnC,OAAO,CAAC,cAAc,CAAC,CAWzB"}
+{"version":3,"file":"access.d.ts","sourceRoot":"","sources":["../../src/sharing/access.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAAoB,KAAK,GAAG,EAAE,MAAM,aAAa,CAAC;AAUzD,OAAO,EAAa,KAAK,SAAS,EAAE,MAAM,aAAa,CAAC;AAmBxD,qBAAa,cAAe,SAAQ,KAAK;IACvC,UAAU,SAAO;gBACL,OAAO,SAAc;CAIlC;AAED,MAAM,WAAW,aAAa;IAC5B,SAAS,CAAC,EAAE,MAAM,CAAC;IACnB,KAAK,CAAC,EAAE,MAAM,CAAC;CAChB;AAED,wEAAwE;AACxE,wBAAgB,aAAa,IAAI,aAAa,CAK7C;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,wBAAgB,YAAY,CAC1B,aAAa,EAAE,GAAG,EAClB,WAAW,EAAE,GAAG,EAChB,GAAG,GAAE,aAA+B,EACpC,OAAO,GAAE,SAAoB,EAC7B,OAAO,GAAE;IAAE,aAAa,CAAC,EAAE,OAAO,CAAA;CAAO,GACxC,GAAG,CAoDL;AAgCD,MAAM,WAAW,cAAc;IAC7B,yEAAyE;IACzE,IAAI,EAAE,OAAO,GAAG,SAAS,CAAC;IAC1B,yCAAyC;IACzC,QAAQ,EAAE,GAAG,CAAC;CACf;AAED;;;GAGG;AACH,wBAAsB,aAAa,CACjC,YAAY,EAAE,MAAM,EACpB,UAAU,EAAE,MAAM,EAClB,GAAG,GAAE,aAA+B,GACnC,OAAO,CAAC,cAAc,GAAG,IAAI,CAAC,CAkChC;AA4CD;;;GAGG;AACH,wBAAsB,YAAY,CAChC,YAAY,EAAE,MAAM,EACpB,UAAU,EAAE,MAAM,EAClB,OAAO,GAAE,SAAS,GAAG,OAAkB,EACvC,GAAG,GAAE,aAA+B,GACnC,OAAO,CAAC,cAAc,CAAC,CAWzB"}

package/dist/sharing/access.js

@@ -14,8 +14,23 @@
  */
 import { and, eq, or, sql } from "drizzle-orm";
 import { getRequestUserEmail, getRequestOrgId, } from "../server/request-context.js";
-import { requireShareableResource, } from "./registry.js";
+import { listShareableResources, requireShareableResource, } from "./registry.js";
 import { ROLE_RANK } from "./schema.js";
+/**
+ * Find a registration by its drizzle table identity. Used to look up
+ * per-resource policy flags (e.g. `allowPublic`) inside `accessFilter`,
+ * which receives only the table — not the resource-type name.
+ *
+ * Identity is stable within a single bundle (Vite dedupes module instances);
+ * the SSR/server side is the only caller, so per-bundle identity is fine.
+ */
+function findRegistrationByTable(resourceTable) {
+    for (const reg of listShareableResources()) {
+        if (reg.resourceTable === resourceTable)
+            return reg;
+    }
+    return undefined;
+}
 export class ForbiddenError extends Error {
     statusCode = 403;
     constructor(message = "Forbidden") {
@@ -50,10 +65,16 @@ export function currentAccess() {
  */
 export function accessFilter(resourceTable, sharesTable, ctx = currentAccess(), minRole = "viewer", options = {}) {
     const { userEmail, orgId } = ctx;
-    const { includePublic = false } = options;
+    // Defense in depth — resources registered with `allowPublic: false` must
+    // never participate in cross-user "public" discovery, even if a caller
+    // accidentally passes `includePublic: true` or if a stale public row sits
+    // in the DB.
+    const reg = findRegistrationByTable(resourceTable);
+    const publicAllowed = reg?.allowPublic !== false;
+    const includePublic = (options.includePublic ?? false) && publicAllowed;
     const clauses = [];
     if (userEmail) {
-        clauses.push(eq(resourceTable.ownerEmail, userEmail));
+        clauses.push(and(eq(resourceTable.ownerEmail, userEmail), ownerScopeFilter(resourceTable, ctx)));
     }
     if (minRole === "viewer") {
         if (includePublic) {
@@ -79,6 +100,21 @@ export function accessFilter(resourceTable, sharesTable, ctx = currentAccess(),
     }
     return or(...clauses) ?? sql `1=0`;
 }
+function ownerScopeFilter(resourceTable, ctx) {
+    if (ctx.orgId) {
+        // Rows created before org-scoping, or in solo mode, have no org_id. Keep
+        // them manageable by their owner after the owner joins or switches into an
+        // organization, while still keeping rows from other orgs out of scope.
+        return or(eq(resourceTable.orgId, ctx.orgId), sql `${resourceTable.orgId} IS NULL`);
+    }
+    return sql `${resourceTable.orgId} IS NULL`;
+}
+function ownerMatchesActiveScope(resource, ctx) {
+    const resourceOrgId = resource?.orgId ?? null;
+    if (!resourceOrgId)
+        return true;
+    return ctx.orgId === resourceOrgId;
+}
 function minRoleSql(minRole) {
     if (minRole === "viewer") {
         // any role satisfies viewer
@@ -103,14 +139,19 @@ export async function resolveAccess(resourceType, resourceId, ctx = currentAcces
     if (!resource)
         return null;
     const { userEmail, orgId } = ctx;
-    if (userEmail && resource.ownerEmail === userEmail) {
+    if (userEmail &&
+        resource.ownerEmail === userEmail &&
+        ownerMatchesActiveScope(resource, ctx)) {
         return { role: "owner", resource };
     }
-    if (resource.visibility === "public") {
+    if (resource.visibility === "public" && reg.allowPublic !== false) {
         // No share row needed; default viewer unless upgraded below.
         const role = await highestShareRole(reg, resourceId, ctx);
         return { role: role ?? "viewer", resource };
     }
+    // `visibility === "public"` on an `allowPublic: false` resource is treated
+    // as private: only owner + explicit shares grant access. Falls through to
+    // the explicit-share lookup below.
     if (resource.visibility === "org" && orgId && resource.orgId === orgId) {
         const role = await highestShareRole(reg, resourceId, ctx);
         return { role: role ?? "viewer", resource };

package/dist/sharing/access.js.map

@@ -1 +1 @@
-{"version":3,"file":"access.js","sourceRoot":"","sources":["../../src/sharing/access.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAAE,GAAG,EAAE,EAAE,EAAE,EAAE,EAAE,GAAG,EAAY,MAAM,aAAa,CAAC;AACzD,OAAO,EACL,mBAAmB,EACnB,eAAe,GAChB,MAAM,8BAA8B,CAAC;AACtC,OAAO,EACL,wBAAwB,GAEzB,MAAM,eAAe,CAAC;AACvB,OAAO,EAAE,SAAS,EAAkB,MAAM,aAAa,CAAC;AAExD,MAAM,OAAO,cAAe,SAAQ,KAAK;IACvC,UAAU,GAAG,GAAG,CAAC;IACjB,YAAY,OAAO,GAAG,WAAW;QAC/B,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,gBAAgB,CAAC;IAC/B,CAAC;CACF;AAOD,wEAAwE;AACxE,MAAM,UAAU,aAAa;IAC3B,OAAO;QACL,SAAS,EAAE,mBAAmB,EAAE;QAChC,KAAK,EAAE,eAAe,EAAE;KACzB,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,UAAU,YAAY,CAC1B,aAAkB,EAClB,WAAgB,EAChB,MAAqB,aAAa,EAAE,EACpC,UAAqB,QAAQ,EAC7B,UAAuC,EAAE;IAEzC,MAAM,EAAE,SAAS,EAAE,KAAK,EAAE,GAAG,GAAG,CAAC;IACjC,MAAM,EAAE,aAAa,GAAG,KAAK,EAAE,GAAG,OAAO,CAAC;IAC1C,MAAM,OAAO,GAAU,EAAE,CAAC;IAE1B,IAAI,SAAS,EAAE,CAAC;QACd,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,aAAa,CAAC,UAAU,EAAE,SAAS,CAAC,CAAC,CAAC;IACxD,CAAC;IACD,IAAI,OAAO,KAAK,QAAQ,EAAE,CAAC;QACzB,IAAI,aAAa,EAAE,CAAC;YAClB,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,aAAa,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC,CAAC;QACvD,CAAC;QACD,IAAI,KAAK,EAAE,CAAC;YACV,OAAO,CAAC,IAAI,CACV,GAAG,CACD,EAAE,CAAC,aAAa,CAAC,UAAU,EAAE,KAAK,CAAC,EACnC,EAAE,CAAC,aAAa,CAAC,KAAK,EAAE,KAAK,CAAC,CAC9B,CACH,CAAC;QACJ,CAAC;IACH,CAAC;IACD,IAAI,SAAS,EAAE,CAAC;QACd,OAAO,CAAC,IAAI,CACV,GAAG,CAAA,yBAAyB,WAAW;0BACnB,WAAW,CAAC,UAAU,MAAM,aAAa,CAAC,EAAE;0BAC5C,WAAW,CAAC,aAAa;0BACzB,WAAW,CAAC,WAAW,MAAM,SAAS;0BACtC,UAAU,CAAC,OAAO,CAAC,GAAG,CAC3C,CAAC;IACJ,CAAC;IACD,IAAI,KAAK,EAAE,CAAC;QACV,OAAO,CAAC,IAAI,CACV,GAAG,CAAA,yBAAyB,WAAW;0BACnB,WAAW,CAAC,UAAU,MAAM,aAAa,CAAC,EAAE;0BAC5C,WAAW,CAAC,aAAa;0BACzB,WAAW,CAAC,WAAW,MAAM,KAAK;0BAClC,UAAU,CAAC,OAAO,CAAC,GAAG,CAC3C,CAAC;IACJ,CAAC;IAED,OAAO,EAAE,CAAC,GAAG,OAAO,CAAC,IAAI,GAAG,CAAA,KAAK,CAAC;AACpC,CAAC;AAED,SAAS,UAAU,CAAC,OAAkB;IACpC,IAAI,OAAO,KAAK,QAAQ,EAAE,CAAC;QACzB,4BAA4B;QAC5B,OAAO,GAAG,CAAA,KAAK,CAAC;IAClB,CAAC;IACD,IAAI,OAAO,KAAK,QAAQ,EAAE,CAAC;QACzB,OAAO,GAAG,CAAA,4BAA4B,CAAC;IACzC,CAAC;IACD,OAAO,GAAG,CAAA,gBAAgB,CAAC;AAC7B,CAAC;AASD;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,YAAoB,EACpB,UAAkB,EAClB,MAAqB,aAAa,EAAE;IAEpC,MAAM,GAAG,GAAG,wBAAwB,CAAC,YAAY,CAAC,CAAC;IACnD,MAAM,EAAE,GAAG,GAAG,CAAC,KAAK,EAAS,CAAC;IAE9B,MAAM,CAAC,QAAQ,CAAC,GAAG,MAAM,EAAE;SACxB,MAAM,EAAE;SACR,IAAI,CAAC,GAAG,CAAC,aAAa,CAAC;SACvB,KAAK,CAAC,EAAE,CAAC,GAAG,CAAC,aAAa,CAAC,EAAE,EAAE,UAAU,CAAC,CAAC,CAAC;IAC/C,IAAI,CAAC,QAAQ;QAAE,OAAO,IAAI,CAAC;IAE3B,MAAM,EAAE,SAAS,EAAE,KAAK,EAAE,GAAG,GAAG,CAAC;IAEjC,IAAI,SAAS,IAAI,QAAQ,CAAC,UAAU,KAAK,SAAS,EAAE,CAAC;QACnD,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE,CAAC;IACrC,CAAC;IACD,IAAI,QAAQ,CAAC,UAAU,KAAK,QAAQ,EAAE,CAAC;QACrC,6DAA6D;QAC7D,MAAM,IAAI,GAAG,MAAM,gBAAgB,CAAC,GAAG,EAAE,UAAU,EAAE,GAAG,CAAC,CAAC;QAC1D,OAAO,EAAE,IAAI,EAAE,IAAI,IAAI,QAAQ,EAAE,QAAQ,EAAE,CAAC;IAC9C,CAAC;IACD,IAAI,QAAQ,CAAC,UAAU,KAAK,KAAK,IAAI,KAAK,IAAI,QAAQ,CAAC,KAAK,KAAK,KAAK,EAAE,CAAC;QACvE,MAAM,IAAI,GAAG,MAAM,gBAAgB,CAAC,GAAG,EAAE,UAAU,EAAE,GAAG,CAAC,CAAC;QAC1D,OAAO,EAAE,IAAI,EAAE,IAAI,IAAI,QAAQ,EAAE,QAAQ,EAAE,CAAC;IAC9C,CAAC;IACD,MAAM,IAAI,GAAG,MAAM,gBAAgB,CAAC,GAAG,EAAE,UAAU,EAAE,GAAG,CAAC,CAAC;IAC1D,IAAI,IAAI;QAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC;IACpC,OAAO,IAAI,CAAC;AACd,CAAC;AAED,KAAK,UAAU,gBAAgB,CAC7B,GAAkC,EAClC,UAAkB,EAClB,GAAkB;IAElB,MAAM,EAAE,SAAS,EAAE,KAAK,EAAE,GAAG,GAAG,CAAC;IACjC,IAAI,CAAC,SAAS,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IACtC,MAAM,EAAE,GAAG,GAAG,CAAC,KAAK,EAAS,CAAC;IAE9B,MAAM,gBAAgB,GAA6B,EAAE,CAAC;IACtD,IAAI,SAAS,EAAE,CAAC;QACd,gBAAgB,CAAC,IAAI,CACnB,GAAG,CACD,EAAE,CAAC,GAAG,CAAC,WAAW,CAAC,aAAa,EAAE,MAAM,CAAC,EACzC,EAAE,CAAC,GAAG,CAAC,WAAW,CAAC,WAAW,EAAE,SAAS,CAAC,CAC3C,CACF,CAAC;IACJ,CAAC;IACD,IAAI,KAAK,EAAE,CAAC;QACV,gBAAgB,CAAC,IAAI,CACnB,GAAG,CACD,EAAE,CAAC,GAAG,CAAC,WAAW,CAAC,aAAa,EAAE,KAAK,CAAC,EACxC,EAAE,CAAC,GAAG,CAAC,WAAW,CAAC,WAAW,EAAE,KAAK,CAAC,CACvC,CACF,CAAC;IACJ,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,EAAE;SAClB,MAAM,CAAC,EAAE,IAAI,EAAE,GAAG,CAAC,WAAW,CAAC,IAAI,EAAE,CAAC;SACtC,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC;SACrB,KAAK,CACJ,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,WAAW,CAAC,UAAU,EAAE,UAAU,CAAC,EAAE,EAAE,CAAC,GAAG,gBAAgB,CAAC,CAAC,CACzE;SACA,KAAK,CAAC,EAAE,CAAC,CAAC;IAEb,IAAI,IAAI,GAAqB,IAAI,CAAC;IAClC,KAAK,MAAM,CAAC,IAAI,IAAkC,EAAE,CAAC;QACnD,IAAI,CAAC,IAAI,IAAI,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,SAAS,CAAC,IAAI,CAAC;YAAE,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC;IAClE,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,YAAoB,EACpB,UAAkB,EAClB,UAA+B,QAAQ,EACvC,MAAqB,aAAa,EAAE;IAEpC,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,YAAY,EAAE,UAAU,EAAE,GAAG,CAAC,CAAC;IAClE,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,IAAI,cAAc,CAAC,gBAAgB,YAAY,IAAI,UAAU,EAAE,CAAC,CAAC;IACzE,CAAC;IACD,IAAI,SAAS,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC,EAAE,CAAC;QAChD,MAAM,IAAI,cAAc,CACtB,YAAY,OAAO,YAAY,YAAY,IAAI,UAAU,UAAU,MAAM,CAAC,IAAI,GAAG,CAClF,CAAC;IACJ,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC","sourcesContent":["/**\n * Access-control helpers for shareable resources.\n *\n * The access model combines:\n * 1. Direct ownership — `owner_email = currentUser`.\n * 2. Visibility — `'private' | 'org' | 'public'`. `org` grants read to anyone\n *    in the same org; `public` grants read to any authenticated user.\n * 3. Share rows — per-user or per-org grants in the `{type}_shares` table\n *    with a role (`viewer | editor | admin`).\n *\n * Use `applyAccessFilter()` on list/read queries to filter rows the current\n * user can see. Use `assertAccess()` at the top of write actions to reject\n * callers who lack the required role.\n */\n\nimport { and, eq, or, sql, type SQL } from \"drizzle-orm\";\nimport {\n  getRequestUserEmail,\n  getRequestOrgId,\n} from \"../server/request-context.js\";\nimport {\n  requireShareableResource,\n  type ShareableResourceRegistration,\n} from \"./registry.js\";\nimport { ROLE_RANK, type ShareRole } from \"./schema.js\";\n\nexport class ForbiddenError extends Error {\n  statusCode = 403;\n  constructor(message = \"Forbidden\") {\n    super(message);\n    this.name = \"ForbiddenError\";\n  }\n}\n\nexport interface AccessContext {\n  userEmail?: string;\n  orgId?: string;\n}\n\n/** Current request's access context. Pulls from request-context ALS. */\nexport function currentAccess(): AccessContext {\n  return {\n    userEmail: getRequestUserEmail(),\n    orgId: getRequestOrgId(),\n  };\n}\n\n/**\n * Build a Drizzle `WHERE` clause that admits rows the current user can see.\n * Pass the ownable resource table and its shares table; optional min role\n * (defaults to 'viewer') gates which share rows count.\n *\n * `visibility = 'public'` is intentionally NOT admitted by default. Public\n * means \"anyone with the link can view\" (still honoured by `resolveAccess`\n * for read-by-id), not \"appears in every signed-in user's list/sidebar.\"\n * Pass `{ includePublic: true }` for the rare list endpoint that wants\n * cross-user public discovery (a public template gallery, for example).\n *\n * Example:\n *\n *   const rows = await db\n *     .select()\n *     .from(schema.documents)\n *     .where(accessFilter(schema.documents, schema.documentShares));\n */\nexport function accessFilter(\n  resourceTable: any,\n  sharesTable: any,\n  ctx: AccessContext = currentAccess(),\n  minRole: ShareRole = \"viewer\",\n  options: { includePublic?: boolean } = {},\n): SQL {\n  const { userEmail, orgId } = ctx;\n  const { includePublic = false } = options;\n  const clauses: SQL[] = [];\n\n  if (userEmail) {\n    clauses.push(eq(resourceTable.ownerEmail, userEmail));\n  }\n  if (minRole === \"viewer\") {\n    if (includePublic) {\n      clauses.push(eq(resourceTable.visibility, \"public\"));\n    }\n    if (orgId) {\n      clauses.push(\n        and(\n          eq(resourceTable.visibility, \"org\"),\n          eq(resourceTable.orgId, orgId),\n        )!,\n      );\n    }\n  }\n  if (userEmail) {\n    clauses.push(\n      sql`exists (select 1 from ${sharesTable}\n                  where ${sharesTable.resourceId} = ${resourceTable.id}\n                    and ${sharesTable.principalType} = 'user'\n                    and ${sharesTable.principalId} = ${userEmail}\n                    and ${minRoleSql(minRole)})`,\n    );\n  }\n  if (orgId) {\n    clauses.push(\n      sql`exists (select 1 from ${sharesTable}\n                  where ${sharesTable.resourceId} = ${resourceTable.id}\n                    and ${sharesTable.principalType} = 'org'\n                    and ${sharesTable.principalId} = ${orgId}\n                    and ${minRoleSql(minRole)})`,\n    );\n  }\n\n  return or(...clauses) ?? sql`1=0`;\n}\n\nfunction minRoleSql(minRole: ShareRole): SQL {\n  if (minRole === \"viewer\") {\n    // any role satisfies viewer\n    return sql`1=1`;\n  }\n  if (minRole === \"editor\") {\n    return sql`role in ('editor','admin')`;\n  }\n  return sql`role = 'admin'`;\n}\n\nexport interface ResolvedAccess {\n  /** Effective role: 'owner' for the resource owner, or the share role. */\n  role: \"owner\" | ShareRole;\n  /** The resource row (already loaded). */\n  resource: any;\n}\n\n/**\n * Return the effective role the current user has on a specific resource, or\n * null if they have no access. Loads the resource and relevant share rows.\n */\nexport async function resolveAccess(\n  resourceType: string,\n  resourceId: string,\n  ctx: AccessContext = currentAccess(),\n): Promise<ResolvedAccess | null> {\n  const reg = requireShareableResource(resourceType);\n  const db = reg.getDb() as any;\n\n  const [resource] = await db\n    .select()\n    .from(reg.resourceTable)\n    .where(eq(reg.resourceTable.id, resourceId));\n  if (!resource) return null;\n\n  const { userEmail, orgId } = ctx;\n\n  if (userEmail && resource.ownerEmail === userEmail) {\n    return { role: \"owner\", resource };\n  }\n  if (resource.visibility === \"public\") {\n    // No share row needed; default viewer unless upgraded below.\n    const role = await highestShareRole(reg, resourceId, ctx);\n    return { role: role ?? \"viewer\", resource };\n  }\n  if (resource.visibility === \"org\" && orgId && resource.orgId === orgId) {\n    const role = await highestShareRole(reg, resourceId, ctx);\n    return { role: role ?? \"viewer\", resource };\n  }\n  const role = await highestShareRole(reg, resourceId, ctx);\n  if (role) return { role, resource };\n  return null;\n}\n\nasync function highestShareRole(\n  reg: ShareableResourceRegistration,\n  resourceId: string,\n  ctx: AccessContext,\n): Promise<ShareRole | null> {\n  const { userEmail, orgId } = ctx;\n  if (!userEmail && !orgId) return null;\n  const db = reg.getDb() as any;\n\n  const principalClauses: ReturnType<typeof and>[] = [];\n  if (userEmail) {\n    principalClauses.push(\n      and(\n        eq(reg.sharesTable.principalType, \"user\"),\n        eq(reg.sharesTable.principalId, userEmail),\n      ),\n    );\n  }\n  if (orgId) {\n    principalClauses.push(\n      and(\n        eq(reg.sharesTable.principalType, \"org\"),\n        eq(reg.sharesTable.principalId, orgId),\n      ),\n    );\n  }\n\n  const rows = await db\n    .select({ role: reg.sharesTable.role })\n    .from(reg.sharesTable)\n    .where(\n      and(eq(reg.sharesTable.resourceId, resourceId), or(...principalClauses)),\n    )\n    .limit(10);\n\n  let best: ShareRole | null = null;\n  for (const r of rows as Array<{ role: ShareRole }>) {\n    if (!best || ROLE_RANK[r.role] > ROLE_RANK[best]) best = r.role;\n  }\n  return best;\n}\n\n/**\n * Throw ForbiddenError if the current user can't act on this resource with at\n * least the given role. Used at the top of update/delete actions.\n */\nexport async function assertAccess(\n  resourceType: string,\n  resourceId: string,\n  minRole: ShareRole | \"owner\" = \"viewer\",\n  ctx: AccessContext = currentAccess(),\n): Promise<ResolvedAccess> {\n  const access = await resolveAccess(resourceType, resourceId, ctx);\n  if (!access) {\n    throw new ForbiddenError(`No access to ${resourceType} ${resourceId}`);\n  }\n  if (ROLE_RANK[access.role] < ROLE_RANK[minRole]) {\n    throw new ForbiddenError(\n      `Requires ${minRole} role on ${resourceType} ${resourceId} (have ${access.role})`,\n    );\n  }\n  return access;\n}\n"]}
+{"version":3,"file":"access.js","sourceRoot":"","sources":["../../src/sharing/access.ts"],"names":[],"mappings":"AAAA;;;;;;;;;;;;;GAaG;AAEH,OAAO,EAAE,GAAG,EAAE,EAAE,EAAE,EAAE,EAAE,GAAG,EAAY,MAAM,aAAa,CAAC;AACzD,OAAO,EACL,mBAAmB,EACnB,eAAe,GAChB,MAAM,8BAA8B,CAAC;AACtC,OAAO,EACL,sBAAsB,EACtB,wBAAwB,GAEzB,MAAM,eAAe,CAAC;AACvB,OAAO,EAAE,SAAS,EAAkB,MAAM,aAAa,CAAC;AAExD;;;;;;;GAOG;AACH,SAAS,uBAAuB,CAC9B,aAAkB;IAElB,KAAK,MAAM,GAAG,IAAI,sBAAsB,EAAE,EAAE,CAAC;QAC3C,IAAI,GAAG,CAAC,aAAa,KAAK,aAAa;YAAE,OAAO,GAAG,CAAC;IACtD,CAAC;IACD,OAAO,SAAS,CAAC;AACnB,CAAC;AAED,MAAM,OAAO,cAAe,SAAQ,KAAK;IACvC,UAAU,GAAG,GAAG,CAAC;IACjB,YAAY,OAAO,GAAG,WAAW;QAC/B,KAAK,CAAC,OAAO,CAAC,CAAC;QACf,IAAI,CAAC,IAAI,GAAG,gBAAgB,CAAC;IAC/B,CAAC;CACF;AAOD,wEAAwE;AACxE,MAAM,UAAU,aAAa;IAC3B,OAAO;QACL,SAAS,EAAE,mBAAmB,EAAE;QAChC,KAAK,EAAE,eAAe,EAAE;KACzB,CAAC;AACJ,CAAC;AAED;;;;;;;;;;;;;;;;;GAiBG;AACH,MAAM,UAAU,YAAY,CAC1B,aAAkB,EAClB,WAAgB,EAChB,MAAqB,aAAa,EAAE,EACpC,UAAqB,QAAQ,EAC7B,UAAuC,EAAE;IAEzC,MAAM,EAAE,SAAS,EAAE,KAAK,EAAE,GAAG,GAAG,CAAC;IACjC,yEAAyE;IACzE,uEAAuE;IACvE,0EAA0E;IAC1E,aAAa;IACb,MAAM,GAAG,GAAG,uBAAuB,CAAC,aAAa,CAAC,CAAC;IACnD,MAAM,aAAa,GAAG,GAAG,EAAE,WAAW,KAAK,KAAK,CAAC;IACjD,MAAM,aAAa,GAAG,CAAC,OAAO,CAAC,aAAa,IAAI,KAAK,CAAC,IAAI,aAAa,CAAC;IACxE,MAAM,OAAO,GAAU,EAAE,CAAC;IAE1B,IAAI,SAAS,EAAE,CAAC;QACd,OAAO,CAAC,IAAI,CACV,GAAG,CACD,EAAE,CAAC,aAAa,CAAC,UAAU,EAAE,SAAS,CAAC,EACvC,gBAAgB,CAAC,aAAa,EAAE,GAAG,CAAC,CACpC,CACH,CAAC;IACJ,CAAC;IACD,IAAI,OAAO,KAAK,QAAQ,EAAE,CAAC;QACzB,IAAI,aAAa,EAAE,CAAC;YAClB,OAAO,CAAC,IAAI,CAAC,EAAE,CAAC,aAAa,CAAC,UAAU,EAAE,QAAQ,CAAC,CAAC,CAAC;QACvD,CAAC;QACD,IAAI,KAAK,EAAE,CAAC;YACV,OAAO,CAAC,IAAI,CACV,GAAG,CACD,EAAE,CAAC,aAAa,CAAC,UAAU,EAAE,KAAK,CAAC,EACnC,EAAE,CAAC,aAAa,CAAC,KAAK,EAAE,KAAK,CAAC,CAC9B,CACH,CAAC;QACJ,CAAC;IACH,CAAC;IACD,IAAI,SAAS,EAAE,CAAC;QACd,OAAO,CAAC,IAAI,CACV,GAAG,CAAA,yBAAyB,WAAW;0BACnB,WAAW,CAAC,UAAU,MAAM,aAAa,CAAC,EAAE;0BAC5C,WAAW,CAAC,aAAa;0BACzB,WAAW,CAAC,WAAW,MAAM,SAAS;0BACtC,UAAU,CAAC,OAAO,CAAC,GAAG,CAC3C,CAAC;IACJ,CAAC;IACD,IAAI,KAAK,EAAE,CAAC;QACV,OAAO,CAAC,IAAI,CACV,GAAG,CAAA,yBAAyB,WAAW;0BACnB,WAAW,CAAC,UAAU,MAAM,aAAa,CAAC,EAAE;0BAC5C,WAAW,CAAC,aAAa;0BACzB,WAAW,CAAC,WAAW,MAAM,KAAK;0BAClC,UAAU,CAAC,OAAO,CAAC,GAAG,CAC3C,CAAC;IACJ,CAAC;IAED,OAAO,EAAE,CAAC,GAAG,OAAO,CAAC,IAAI,GAAG,CAAA,KAAK,CAAC;AACpC,CAAC;AAED,SAAS,gBAAgB,CAAC,aAAkB,EAAE,GAAkB;IAC9D,IAAI,GAAG,CAAC,KAAK,EAAE,CAAC;QACd,yEAAyE;QACzE,2EAA2E;QAC3E,uEAAuE;QACvE,OAAO,EAAE,CACP,EAAE,CAAC,aAAa,CAAC,KAAK,EAAE,GAAG,CAAC,KAAK,CAAC,EAClC,GAAG,CAAA,GAAG,aAAa,CAAC,KAAK,UAAU,CACnC,CAAC;IACL,CAAC;IACD,OAAO,GAAG,CAAA,GAAG,aAAa,CAAC,KAAK,UAAU,CAAC;AAC7C,CAAC;AAED,SAAS,uBAAuB,CAAC,QAAa,EAAE,GAAkB;IAChE,MAAM,aAAa,GAAG,QAAQ,EAAE,KAAK,IAAI,IAAI,CAAC;IAC9C,IAAI,CAAC,aAAa;QAAE,OAAO,IAAI,CAAC;IAChC,OAAO,GAAG,CAAC,KAAK,KAAK,aAAa,CAAC;AACrC,CAAC;AAED,SAAS,UAAU,CAAC,OAAkB;IACpC,IAAI,OAAO,KAAK,QAAQ,EAAE,CAAC;QACzB,4BAA4B;QAC5B,OAAO,GAAG,CAAA,KAAK,CAAC;IAClB,CAAC;IACD,IAAI,OAAO,KAAK,QAAQ,EAAE,CAAC;QACzB,OAAO,GAAG,CAAA,4BAA4B,CAAC;IACzC,CAAC;IACD,OAAO,GAAG,CAAA,gBAAgB,CAAC;AAC7B,CAAC;AASD;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,aAAa,CACjC,YAAoB,EACpB,UAAkB,EAClB,MAAqB,aAAa,EAAE;IAEpC,MAAM,GAAG,GAAG,wBAAwB,CAAC,YAAY,CAAC,CAAC;IACnD,MAAM,EAAE,GAAG,GAAG,CAAC,KAAK,EAAS,CAAC;IAE9B,MAAM,CAAC,QAAQ,CAAC,GAAG,MAAM,EAAE;SACxB,MAAM,EAAE;SACR,IAAI,CAAC,GAAG,CAAC,aAAa,CAAC;SACvB,KAAK,CAAC,EAAE,CAAC,GAAG,CAAC,aAAa,CAAC,EAAE,EAAE,UAAU,CAAC,CAAC,CAAC;IAC/C,IAAI,CAAC,QAAQ;QAAE,OAAO,IAAI,CAAC;IAE3B,MAAM,EAAE,SAAS,EAAE,KAAK,EAAE,GAAG,GAAG,CAAC;IAEjC,IACE,SAAS;QACT,QAAQ,CAAC,UAAU,KAAK,SAAS;QACjC,uBAAuB,CAAC,QAAQ,EAAE,GAAG,CAAC,EACtC,CAAC;QACD,OAAO,EAAE,IAAI,EAAE,OAAO,EAAE,QAAQ,EAAE,CAAC;IACrC,CAAC;IACD,IAAI,QAAQ,CAAC,UAAU,KAAK,QAAQ,IAAI,GAAG,CAAC,WAAW,KAAK,KAAK,EAAE,CAAC;QAClE,6DAA6D;QAC7D,MAAM,IAAI,GAAG,MAAM,gBAAgB,CAAC,GAAG,EAAE,UAAU,EAAE,GAAG,CAAC,CAAC;QAC1D,OAAO,EAAE,IAAI,EAAE,IAAI,IAAI,QAAQ,EAAE,QAAQ,EAAE,CAAC;IAC9C,CAAC;IACD,2EAA2E;IAC3E,0EAA0E;IAC1E,mCAAmC;IACnC,IAAI,QAAQ,CAAC,UAAU,KAAK,KAAK,IAAI,KAAK,IAAI,QAAQ,CAAC,KAAK,KAAK,KAAK,EAAE,CAAC;QACvE,MAAM,IAAI,GAAG,MAAM,gBAAgB,CAAC,GAAG,EAAE,UAAU,EAAE,GAAG,CAAC,CAAC;QAC1D,OAAO,EAAE,IAAI,EAAE,IAAI,IAAI,QAAQ,EAAE,QAAQ,EAAE,CAAC;IAC9C,CAAC;IACD,MAAM,IAAI,GAAG,MAAM,gBAAgB,CAAC,GAAG,EAAE,UAAU,EAAE,GAAG,CAAC,CAAC;IAC1D,IAAI,IAAI;QAAE,OAAO,EAAE,IAAI,EAAE,QAAQ,EAAE,CAAC;IACpC,OAAO,IAAI,CAAC;AACd,CAAC;AAED,KAAK,UAAU,gBAAgB,CAC7B,GAAkC,EAClC,UAAkB,EAClB,GAAkB;IAElB,MAAM,EAAE,SAAS,EAAE,KAAK,EAAE,GAAG,GAAG,CAAC;IACjC,IAAI,CAAC,SAAS,IAAI,CAAC,KAAK;QAAE,OAAO,IAAI,CAAC;IACtC,MAAM,EAAE,GAAG,GAAG,CAAC,KAAK,EAAS,CAAC;IAE9B,MAAM,gBAAgB,GAA6B,EAAE,CAAC;IACtD,IAAI,SAAS,EAAE,CAAC;QACd,gBAAgB,CAAC,IAAI,CACnB,GAAG,CACD,EAAE,CAAC,GAAG,CAAC,WAAW,CAAC,aAAa,EAAE,MAAM,CAAC,EACzC,EAAE,CAAC,GAAG,CAAC,WAAW,CAAC,WAAW,EAAE,SAAS,CAAC,CAC3C,CACF,CAAC;IACJ,CAAC;IACD,IAAI,KAAK,EAAE,CAAC;QACV,gBAAgB,CAAC,IAAI,CACnB,GAAG,CACD,EAAE,CAAC,GAAG,CAAC,WAAW,CAAC,aAAa,EAAE,KAAK,CAAC,EACxC,EAAE,CAAC,GAAG,CAAC,WAAW,CAAC,WAAW,EAAE,KAAK,CAAC,CACvC,CACF,CAAC;IACJ,CAAC;IAED,MAAM,IAAI,GAAG,MAAM,EAAE;SAClB,MAAM,CAAC,EAAE,IAAI,EAAE,GAAG,CAAC,WAAW,CAAC,IAAI,EAAE,CAAC;SACtC,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC;SACrB,KAAK,CACJ,GAAG,CAAC,EAAE,CAAC,GAAG,CAAC,WAAW,CAAC,UAAU,EAAE,UAAU,CAAC,EAAE,EAAE,CAAC,GAAG,gBAAgB,CAAC,CAAC,CACzE;SACA,KAAK,CAAC,EAAE,CAAC,CAAC;IAEb,IAAI,IAAI,GAAqB,IAAI,CAAC;IAClC,KAAK,MAAM,CAAC,IAAI,IAAkC,EAAE,CAAC;QACnD,IAAI,CAAC,IAAI,IAAI,SAAS,CAAC,CAAC,CAAC,IAAI,CAAC,GAAG,SAAS,CAAC,IAAI,CAAC;YAAE,IAAI,GAAG,CAAC,CAAC,IAAI,CAAC;IAClE,CAAC;IACD,OAAO,IAAI,CAAC;AACd,CAAC;AAED;;;GAGG;AACH,MAAM,CAAC,KAAK,UAAU,YAAY,CAChC,YAAoB,EACpB,UAAkB,EAClB,UAA+B,QAAQ,EACvC,MAAqB,aAAa,EAAE;IAEpC,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,YAAY,EAAE,UAAU,EAAE,GAAG,CAAC,CAAC;IAClE,IAAI,CAAC,MAAM,EAAE,CAAC;QACZ,MAAM,IAAI,cAAc,CAAC,gBAAgB,YAAY,IAAI,UAAU,EAAE,CAAC,CAAC;IACzE,CAAC;IACD,IAAI,SAAS,CAAC,MAAM,CAAC,IAAI,CAAC,GAAG,SAAS,CAAC,OAAO,CAAC,EAAE,CAAC;QAChD,MAAM,IAAI,cAAc,CACtB,YAAY,OAAO,YAAY,YAAY,IAAI,UAAU,UAAU,MAAM,CAAC,IAAI,GAAG,CAClF,CAAC;IACJ,CAAC;IACD,OAAO,MAAM,CAAC;AAChB,CAAC","sourcesContent":["/**\n * Access-control helpers for shareable resources.\n *\n * The access model combines:\n * 1. Direct ownership — `owner_email = currentUser`.\n * 2. Visibility — `'private' | 'org' | 'public'`. `org` grants read to anyone\n *    in the same org; `public` grants read to any authenticated user.\n * 3. Share rows — per-user or per-org grants in the `{type}_shares` table\n *    with a role (`viewer | editor | admin`).\n *\n * Use `applyAccessFilter()` on list/read queries to filter rows the current\n * user can see. Use `assertAccess()` at the top of write actions to reject\n * callers who lack the required role.\n */\n\nimport { and, eq, or, sql, type SQL } from \"drizzle-orm\";\nimport {\n  getRequestUserEmail,\n  getRequestOrgId,\n} from \"../server/request-context.js\";\nimport {\n  listShareableResources,\n  requireShareableResource,\n  type ShareableResourceRegistration,\n} from \"./registry.js\";\nimport { ROLE_RANK, type ShareRole } from \"./schema.js\";\n\n/**\n * Find a registration by its drizzle table identity. Used to look up\n * per-resource policy flags (e.g. `allowPublic`) inside `accessFilter`,\n * which receives only the table — not the resource-type name.\n *\n * Identity is stable within a single bundle (Vite dedupes module instances);\n * the SSR/server side is the only caller, so per-bundle identity is fine.\n */\nfunction findRegistrationByTable(\n  resourceTable: any,\n): ShareableResourceRegistration | undefined {\n  for (const reg of listShareableResources()) {\n    if (reg.resourceTable === resourceTable) return reg;\n  }\n  return undefined;\n}\n\nexport class ForbiddenError extends Error {\n  statusCode = 403;\n  constructor(message = \"Forbidden\") {\n    super(message);\n    this.name = \"ForbiddenError\";\n  }\n}\n\nexport interface AccessContext {\n  userEmail?: string;\n  orgId?: string;\n}\n\n/** Current request's access context. Pulls from request-context ALS. */\nexport function currentAccess(): AccessContext {\n  return {\n    userEmail: getRequestUserEmail(),\n    orgId: getRequestOrgId(),\n  };\n}\n\n/**\n * Build a Drizzle `WHERE` clause that admits rows the current user can see.\n * Pass the ownable resource table and its shares table; optional min role\n * (defaults to 'viewer') gates which share rows count.\n *\n * `visibility = 'public'` is intentionally NOT admitted by default. Public\n * means \"anyone with the link can view\" (still honoured by `resolveAccess`\n * for read-by-id), not \"appears in every signed-in user's list/sidebar.\"\n * Pass `{ includePublic: true }` for the rare list endpoint that wants\n * cross-user public discovery (a public template gallery, for example).\n *\n * Example:\n *\n *   const rows = await db\n *     .select()\n *     .from(schema.documents)\n *     .where(accessFilter(schema.documents, schema.documentShares));\n */\nexport function accessFilter(\n  resourceTable: any,\n  sharesTable: any,\n  ctx: AccessContext = currentAccess(),\n  minRole: ShareRole = \"viewer\",\n  options: { includePublic?: boolean } = {},\n): SQL {\n  const { userEmail, orgId } = ctx;\n  // Defense in depth — resources registered with `allowPublic: false` must\n  // never participate in cross-user \"public\" discovery, even if a caller\n  // accidentally passes `includePublic: true` or if a stale public row sits\n  // in the DB.\n  const reg = findRegistrationByTable(resourceTable);\n  const publicAllowed = reg?.allowPublic !== false;\n  const includePublic = (options.includePublic ?? false) && publicAllowed;\n  const clauses: SQL[] = [];\n\n  if (userEmail) {\n    clauses.push(\n      and(\n        eq(resourceTable.ownerEmail, userEmail),\n        ownerScopeFilter(resourceTable, ctx),\n      )!,\n    );\n  }\n  if (minRole === \"viewer\") {\n    if (includePublic) {\n      clauses.push(eq(resourceTable.visibility, \"public\"));\n    }\n    if (orgId) {\n      clauses.push(\n        and(\n          eq(resourceTable.visibility, \"org\"),\n          eq(resourceTable.orgId, orgId),\n        )!,\n      );\n    }\n  }\n  if (userEmail) {\n    clauses.push(\n      sql`exists (select 1 from ${sharesTable}\n                  where ${sharesTable.resourceId} = ${resourceTable.id}\n                    and ${sharesTable.principalType} = 'user'\n                    and ${sharesTable.principalId} = ${userEmail}\n                    and ${minRoleSql(minRole)})`,\n    );\n  }\n  if (orgId) {\n    clauses.push(\n      sql`exists (select 1 from ${sharesTable}\n                  where ${sharesTable.resourceId} = ${resourceTable.id}\n                    and ${sharesTable.principalType} = 'org'\n                    and ${sharesTable.principalId} = ${orgId}\n                    and ${minRoleSql(minRole)})`,\n    );\n  }\n\n  return or(...clauses) ?? sql`1=0`;\n}\n\nfunction ownerScopeFilter(resourceTable: any, ctx: AccessContext): SQL {\n  if (ctx.orgId) {\n    // Rows created before org-scoping, or in solo mode, have no org_id. Keep\n    // them manageable by their owner after the owner joins or switches into an\n    // organization, while still keeping rows from other orgs out of scope.\n    return or(\n      eq(resourceTable.orgId, ctx.orgId),\n      sql`${resourceTable.orgId} IS NULL`,\n    )!;\n  }\n  return sql`${resourceTable.orgId} IS NULL`;\n}\n\nfunction ownerMatchesActiveScope(resource: any, ctx: AccessContext): boolean {\n  const resourceOrgId = resource?.orgId ?? null;\n  if (!resourceOrgId) return true;\n  return ctx.orgId === resourceOrgId;\n}\n\nfunction minRoleSql(minRole: ShareRole): SQL {\n  if (minRole === \"viewer\") {\n    // any role satisfies viewer\n    return sql`1=1`;\n  }\n  if (minRole === \"editor\") {\n    return sql`role in ('editor','admin')`;\n  }\n  return sql`role = 'admin'`;\n}\n\nexport interface ResolvedAccess {\n  /** Effective role: 'owner' for the resource owner, or the share role. */\n  role: \"owner\" | ShareRole;\n  /** The resource row (already loaded). */\n  resource: any;\n}\n\n/**\n * Return the effective role the current user has on a specific resource, or\n * null if they have no access. Loads the resource and relevant share rows.\n */\nexport async function resolveAccess(\n  resourceType: string,\n  resourceId: string,\n  ctx: AccessContext = currentAccess(),\n): Promise<ResolvedAccess | null> {\n  const reg = requireShareableResource(resourceType);\n  const db = reg.getDb() as any;\n\n  const [resource] = await db\n    .select()\n    .from(reg.resourceTable)\n    .where(eq(reg.resourceTable.id, resourceId));\n  if (!resource) return null;\n\n  const { userEmail, orgId } = ctx;\n\n  if (\n    userEmail &&\n    resource.ownerEmail === userEmail &&\n    ownerMatchesActiveScope(resource, ctx)\n  ) {\n    return { role: \"owner\", resource };\n  }\n  if (resource.visibility === \"public\" && reg.allowPublic !== false) {\n    // No share row needed; default viewer unless upgraded below.\n    const role = await highestShareRole(reg, resourceId, ctx);\n    return { role: role ?? \"viewer\", resource };\n  }\n  // `visibility === \"public\"` on an `allowPublic: false` resource is treated\n  // as private: only owner + explicit shares grant access. Falls through to\n  // the explicit-share lookup below.\n  if (resource.visibility === \"org\" && orgId && resource.orgId === orgId) {\n    const role = await highestShareRole(reg, resourceId, ctx);\n    return { role: role ?? \"viewer\", resource };\n  }\n  const role = await highestShareRole(reg, resourceId, ctx);\n  if (role) return { role, resource };\n  return null;\n}\n\nasync function highestShareRole(\n  reg: ShareableResourceRegistration,\n  resourceId: string,\n  ctx: AccessContext,\n): Promise<ShareRole | null> {\n  const { userEmail, orgId } = ctx;\n  if (!userEmail && !orgId) return null;\n  const db = reg.getDb() as any;\n\n  const principalClauses: ReturnType<typeof and>[] = [];\n  if (userEmail) {\n    principalClauses.push(\n      and(\n        eq(reg.sharesTable.principalType, \"user\"),\n        eq(reg.sharesTable.principalId, userEmail),\n      ),\n    );\n  }\n  if (orgId) {\n    principalClauses.push(\n      and(\n        eq(reg.sharesTable.principalType, \"org\"),\n        eq(reg.sharesTable.principalId, orgId),\n      ),\n    );\n  }\n\n  const rows = await db\n    .select({ role: reg.sharesTable.role })\n    .from(reg.sharesTable)\n    .where(\n      and(eq(reg.sharesTable.resourceId, resourceId), or(...principalClauses)),\n    )\n    .limit(10);\n\n  let best: ShareRole | null = null;\n  for (const r of rows as Array<{ role: ShareRole }>) {\n    if (!best || ROLE_RANK[r.role] > ROLE_RANK[best]) best = r.role;\n  }\n  return best;\n}\n\n/**\n * Throw ForbiddenError if the current user can't act on this resource with at\n * least the given role. Used at the top of update/delete actions.\n */\nexport async function assertAccess(\n  resourceType: string,\n  resourceId: string,\n  minRole: ShareRole | \"owner\" = \"viewer\",\n  ctx: AccessContext = currentAccess(),\n): Promise<ResolvedAccess> {\n  const access = await resolveAccess(resourceType, resourceId, ctx);\n  if (!access) {\n    throw new ForbiddenError(`No access to ${resourceType} ${resourceId}`);\n  }\n  if (ROLE_RANK[access.role] < ROLE_RANK[minRole]) {\n    throw new ForbiddenError(\n      `Requires ${minRole} role on ${resourceType} ${resourceId} (have ${access.role})`,\n    );\n  }\n  return access;\n}\n"]}

package/dist/sharing/actions/list-resource-shares.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"list-resource-shares.d.ts","sourceRoot":"","sources":["../../../src/sharing/actions/list-resource-shares.ts"],"names":[],"mappings":";AAMA,wBAiCG"}
+{"version":3,"file":"list-resource-shares.d.ts","sourceRoot":"","sources":["../../../src/sharing/actions/list-resource-shares.ts"],"names":[],"mappings":";AAMA,wBAyCG"}

package/dist/sharing/actions/list-resource-shares.js

@@ -12,9 +12,15 @@ export default defineAction({
     http: { method: "GET" },
     run: async (args) => {
         const reg = requireShareableResource(args.resourceType);
+        const policy = {
+            // Defaults match registration defaults so the UI behaves the same for
+            // resources that haven't opted into restrictions.
+            allowPublic: reg.allowPublic !== false,
+            requireOrgMemberForUserShares: reg.requireOrgMemberForUserShares === true,
+        };
         const access = await resolveAccess(args.resourceType, args.resourceId);
         if (!access)
-            return { ownerEmail: null, visibility: null, shares: [] };
+            return { ownerEmail: null, visibility: null, shares: [], policy };
         const db = reg.getDb();
         const shares = await db
             .select()
@@ -32,6 +38,7 @@ export default defineAction({
                 role: s.role,
                 createdAt: s.createdAt,
             })),
+            policy,
         };
     },
 });

package/dist/sharing/actions/list-resource-shares.js.map

@@ -1 +1 @@
-{"version":3,"file":"list-resource-shares.js","sourceRoot":"","sources":["../../../src/sharing/actions/list-resource-shares.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,EAAE,EAAE,MAAM,aAAa,CAAC;AACjC,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAC/C,OAAO,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAC7C,OAAO,EAAE,wBAAwB,EAAE,MAAM,gBAAgB,CAAC;AAE1D,eAAe,YAAY,CAAC;IAC1B,WAAW,EACT,sGAAsG;IACxG,MAAM,EAAE,CAAC,CAAC,MAAM,CAAC;QACf,YAAY,EAAE,CAAC,CAAC,MAAM,EAAE;QACxB,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE;KACvB,CAAC;IACF,IAAI,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE;IACvB,GAAG,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE;QAClB,MAAM,GAAG,GAAG,wBAAwB,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QACxD,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,IAAI,CAAC,YAAY,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;QACvE,IAAI,CAAC,MAAM;YAAE,OAAO,EAAE,UAAU,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE,CAAC;QAEvE,MAAM,EAAE,GAAG,GAAG,CAAC,KAAK,EAAS,CAAC;QAC9B,MAAM,MAAM,GAAG,MAAM,EAAE;aACpB,MAAM,EAAE;aACR,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC;aACrB,KAAK,CAAC,EAAE,CAAC,GAAG,CAAC,WAAW,CAAC,UAAU,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC;QAE1D,OAAO;YACL,UAAU,EAAE,MAAM,CAAC,QAAQ,CAAC,UAAU,IAAI,IAAI;YAC9C,KAAK,EAAE,MAAM,CAAC,QAAQ,CAAC,KAAK,IAAI,IAAI;YACpC,UAAU,EAAE,MAAM,CAAC,QAAQ,CAAC,UAAU,IAAI,SAAS;YACnD,IAAI,EAAE,MAAM,CAAC,IAAI;YACjB,MAAM,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC;gBAC9B,EAAE,EAAE,CAAC,CAAC,EAAE;gBACR,aAAa,EAAE,CAAC,CAAC,aAAa;gBAC9B,WAAW,EAAE,CAAC,CAAC,WAAW;gBAC1B,IAAI,EAAE,CAAC,CAAC,IAAI;gBACZ,SAAS,EAAE,CAAC,CAAC,SAAS;aACvB,CAAC,CAAC;SACJ,CAAC;IACJ,CAAC;CACF,CAAC,CAAC","sourcesContent":["import { eq } from \"drizzle-orm\";\nimport { z } from \"zod\";\nimport { defineAction } from \"../../action.js\";\nimport { resolveAccess } from \"../access.js\";\nimport { requireShareableResource } from \"../registry.js\";\n\nexport default defineAction({\n  description:\n    \"List the current visibility and share grants on a shareable resource. Any read access is sufficient.\",\n  schema: z.object({\n    resourceType: z.string(),\n    resourceId: z.string(),\n  }),\n  http: { method: \"GET\" },\n  run: async (args) => {\n    const reg = requireShareableResource(args.resourceType);\n    const access = await resolveAccess(args.resourceType, args.resourceId);\n    if (!access) return { ownerEmail: null, visibility: null, shares: [] };\n\n    const db = reg.getDb() as any;\n    const shares = await db\n      .select()\n      .from(reg.sharesTable)\n      .where(eq(reg.sharesTable.resourceId, args.resourceId));\n\n    return {\n      ownerEmail: access.resource.ownerEmail ?? null,\n      orgId: access.resource.orgId ?? null,\n      visibility: access.resource.visibility ?? \"private\",\n      role: access.role,\n      shares: shares.map((s: any) => ({\n        id: s.id,\n        principalType: s.principalType,\n        principalId: s.principalId,\n        role: s.role,\n        createdAt: s.createdAt,\n      })),\n    };\n  },\n});\n"]}
+{"version":3,"file":"list-resource-shares.js","sourceRoot":"","sources":["../../../src/sharing/actions/list-resource-shares.ts"],"names":[],"mappings":"AAAA,OAAO,EAAE,EAAE,EAAE,MAAM,aAAa,CAAC;AACjC,OAAO,EAAE,CAAC,EAAE,MAAM,KAAK,CAAC;AACxB,OAAO,EAAE,YAAY,EAAE,MAAM,iBAAiB,CAAC;AAC/C,OAAO,EAAE,aAAa,EAAE,MAAM,cAAc,CAAC;AAC7C,OAAO,EAAE,wBAAwB,EAAE,MAAM,gBAAgB,CAAC;AAE1D,eAAe,YAAY,CAAC;IAC1B,WAAW,EACT,sGAAsG;IACxG,MAAM,EAAE,CAAC,CAAC,MAAM,CAAC;QACf,YAAY,EAAE,CAAC,CAAC,MAAM,EAAE;QACxB,UAAU,EAAE,CAAC,CAAC,MAAM,EAAE;KACvB,CAAC;IACF,IAAI,EAAE,EAAE,MAAM,EAAE,KAAK,EAAE;IACvB,GAAG,EAAE,KAAK,EAAE,IAAI,EAAE,EAAE;QAClB,MAAM,GAAG,GAAG,wBAAwB,CAAC,IAAI,CAAC,YAAY,CAAC,CAAC;QACxD,MAAM,MAAM,GAAG;YACb,sEAAsE;YACtE,kDAAkD;YAClD,WAAW,EAAE,GAAG,CAAC,WAAW,KAAK,KAAK;YACtC,6BAA6B,EAAE,GAAG,CAAC,6BAA6B,KAAK,IAAI;SAC1E,CAAC;QACF,MAAM,MAAM,GAAG,MAAM,aAAa,CAAC,IAAI,CAAC,YAAY,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC;QACvE,IAAI,CAAC,MAAM;YACT,OAAO,EAAE,UAAU,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE,MAAM,EAAE,EAAE,EAAE,MAAM,EAAE,CAAC;QAEpE,MAAM,EAAE,GAAG,GAAG,CAAC,KAAK,EAAS,CAAC;QAC9B,MAAM,MAAM,GAAG,MAAM,EAAE;aACpB,MAAM,EAAE;aACR,IAAI,CAAC,GAAG,CAAC,WAAW,CAAC;aACrB,KAAK,CAAC,EAAE,CAAC,GAAG,CAAC,WAAW,CAAC,UAAU,EAAE,IAAI,CAAC,UAAU,CAAC,CAAC,CAAC;QAE1D,OAAO;YACL,UAAU,EAAE,MAAM,CAAC,QAAQ,CAAC,UAAU,IAAI,IAAI;YAC9C,KAAK,EAAE,MAAM,CAAC,QAAQ,CAAC,KAAK,IAAI,IAAI;YACpC,UAAU,EAAE,MAAM,CAAC,QAAQ,CAAC,UAAU,IAAI,SAAS;YACnD,IAAI,EAAE,MAAM,CAAC,IAAI;YACjB,MAAM,EAAE,MAAM,CAAC,GAAG,CAAC,CAAC,CAAM,EAAE,EAAE,CAAC,CAAC;gBAC9B,EAAE,EAAE,CAAC,CAAC,EAAE;gBACR,aAAa,EAAE,CAAC,CAAC,aAAa;gBAC9B,WAAW,EAAE,CAAC,CAAC,WAAW;gBAC1B,IAAI,EAAE,CAAC,CAAC,IAAI;gBACZ,SAAS,EAAE,CAAC,CAAC,SAAS;aACvB,CAAC,CAAC;YACH,MAAM;SACP,CAAC;IACJ,CAAC;CACF,CAAC,CAAC","sourcesContent":["import { eq } from \"drizzle-orm\";\nimport { z } from \"zod\";\nimport { defineAction } from \"../../action.js\";\nimport { resolveAccess } from \"../access.js\";\nimport { requireShareableResource } from \"../registry.js\";\n\nexport default defineAction({\n  description:\n    \"List the current visibility and share grants on a shareable resource. Any read access is sufficient.\",\n  schema: z.object({\n    resourceType: z.string(),\n    resourceId: z.string(),\n  }),\n  http: { method: \"GET\" },\n  run: async (args) => {\n    const reg = requireShareableResource(args.resourceType);\n    const policy = {\n      // Defaults match registration defaults so the UI behaves the same for\n      // resources that haven't opted into restrictions.\n      allowPublic: reg.allowPublic !== false,\n      requireOrgMemberForUserShares: reg.requireOrgMemberForUserShares === true,\n    };\n    const access = await resolveAccess(args.resourceType, args.resourceId);\n    if (!access)\n      return { ownerEmail: null, visibility: null, shares: [], policy };\n\n    const db = reg.getDb() as any;\n    const shares = await db\n      .select()\n      .from(reg.sharesTable)\n      .where(eq(reg.sharesTable.resourceId, args.resourceId));\n\n    return {\n      ownerEmail: access.resource.ownerEmail ?? null,\n      orgId: access.resource.orgId ?? null,\n      visibility: access.resource.visibility ?? \"private\",\n      role: access.role,\n      shares: shares.map((s: any) => ({\n        id: s.id,\n        principalType: s.principalType,\n        principalId: s.principalId,\n        role: s.role,\n        createdAt: s.createdAt,\n      })),\n      policy,\n    };\n  },\n});\n"]}

package/dist/sharing/actions/set-resource-visibility.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"set-resource-visibility.d.ts","sourceRoot":"","sources":["../../../src/sharing/actions/set-resource-visibility.ts"],"names":[],"mappings":";AAMA,wBAqBG"}
+{"version":3,"file":"set-resource-visibility.d.ts","sourceRoot":"","sources":["../../../src/sharing/actions/set-resource-visibility.ts"],"names":[],"mappings":";AAOA,wBAmCG"}